How Does a Service Organisation

Prepare for ISAE 3402?

The ISAE 3402 standard requires service organisations to take a proactive approach in meeting the requirements imposed by the service auditors (accountants). Therefore, service organisations can greatly benefit from conducting an ISAE ‘Readiness Assessment,’ which will help in understanding the reporting requirements.

These reporting requirements include:

1. Preparing a description of the service organisation’s system.
2. Preparing a written management statement of assertion, which will be included in the final ISAE 3402 report.

Additionally, an internal audit within the service organisation may be involved in the entire assurance process if the service organisation’s auditor deems their objectivity and professionalism acceptable. Thus, conducting an ISAE 3402 ‘Readiness Assessment’ will be crucial for service organisations in understanding the scope of the assignment as well as comprehending the reporting requirements for the ISAE 3402 standard.

What is a Data Breach and

What Can My Organisation Do About It?

Nowadays, there is increasing news about data breaches. Entire documents and data from companies, as well as their stakeholders, are easily accessible. This can have many consequences for the stakeholders, but perhaps even more for the company.

The Dutch Data Protection Authority has defined a data breach as an incident involving access to or destruction, alteration, or unauthorized disclosure of personal data at an organisation without the intention of the organisation itself.

A data breach is an incident where information is stolen or extracted from a system without the knowledge or consent of the system’s owner. Both small businesses and large organisations can experience a data breach. Stolen data can include sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security.

The consequences of a data breach can manifest as damage to the target company’s reputation due to a perceived ‘betrayal of trust’. Victims and their customers may also suffer financial losses if related data is part of the stolen information.

In this case, prevention is better than cure. Once data is exposed, it is difficult to remove. Moreover, removing the software is often not effective and is not done completely. Therefore, prevention is the best solution.

Every Company Can Address the Following Vulnerabilities:

1. As previously mentioned, it is crucial to use the most recent operating and security systems.
2. All programs should also be up-to-date. No errors can be allowed here.
3. Never click on strange links in emails. Many spam emails come through websites. Always check whether it is a standard email with a link or an actual potential customer with questions.
4. Get ISO 27001 certified. Information security is essential for every company. The ISO 27001 standard is an international framework for information security. ISO 27001 can be used to organise information security.

Enterprise Risk Management

If an organisation wants to achieve its objectives, it must manage and control the risks that threaten those objectives. COSO has defined the various elements of an internal control system for this purpose.

The COSO model illustrates the direct relationship between:

1. The organisation’s objectives;
2. The control components;
3. The activities/units requiring internal control.
4. COSO identifies the relationships between enterprise risks and the internal control system. COSO views internal control as a process aimed at providing assurance regarding the achievement of objectives in the following categories:
5. Achieving strategic objectives (Strategic);
6. Effectiveness and efficiency of business processes (Operations);
7. Reliability of financial reporting (Reporting);
8. Compliance with relevant laws and regulations (Compliance).

Organisations must also demonstrate to investors and other stakeholders that they properly manage uncertainties (Code Tabaksblat and the Sarbanes-Oxley Act). In Securance’s approach to Enterprise Risk Management (ERM), risks are identified and their consequences are detailed. Securance uses the latest standards, methods, and techniques in risk management.

What does Enterprise Risk Management offer?

• Insight into the significant risks of your organisation;
• Qualitative and quantitative assessment of identified risks;
• Insight and advice on the current control of risks;
• Insight into your organisation’s risk costs;
• A basis for designing and implementing risk management within your organisation;
• Assistance in accountability for risk management.