Category: Cyber Security

ISAE 3402 | SOC 1 adapted to an organisation?

ISAE 3402 | SOC 1

Adapted to an organisation?


Systems and Controls – SOC reporting revolves around controls. An ISAE 3402 | SOC 1 report focuses on financial outsourcing, including asset management, SaaS providers (financial software), data centers (storage of financial data). The SOC 2 report targets a broader scope for user organizations with additional requirements on security, availability, processing integrity, confidentiality, and privacy. Our consultants guide many organizations in achieving the ultimate goal; a professional SOC report and an approving statement. What are the necessary steps to achieve this?

The Method

The initial steps involve understanding the criteria, selecting the right audit scope, and following a structured approach for implementation. In this article, we outline how this process unfolds. Obtaining an approved assurance statement relies on various factors and requires significant discipline from your employees in adhering to procedures and performing controls, but effective structuring and planning can greatly assist!

Criteria

The criteria for an ISAE 3402 | SOC 1 report mainly depend on the reporting procedures of the user organization, the SLA agreement, and other requirements of the user organization. The criteria for an ISAE 3000 | SOC 2 report are developed by the American Institute of Certified Public Accountants (AICPA). The AICPA has developed criteria for trust services that are more descriptive and cover the control environment, risk management, communication, detailed controls, and detailed technical criteria.

In other words, the Trust Service Criteria broadly outline what needs to be done, but it is up to organizations to develop controls. Auditors verifying the organization’s controls through SOC audits observe and rephrase controls to determine if they are well-established, exist, and function effectively to achieve the desired outcome. The first step in the SOC implementation process is defining the audit scope.

Scope of Control

Gaining an overview of the environment and systems is crucial for defining the scope. Therefore, Risklane SOC implementation projects commence with a thorough analysis of the organization, infrastructure, services provided, and processes. Without this analysis, the quality of the SOC report may not be optimal, ultimately leading to a qualified opinion or, at the very least, an ineffective ISAE 3402 or ISAE 3000 audit. For an ISAE 3000 | SOC 2 report, the next step is understanding the Trust Service Criteria.

Understanding Trust Service Criteria
The first step to understanding the criteria is acquiring them from the AICPA website and studying them in relation to the defined scope. The Trust Service Criteria are contained in an extensive document, and the specific language may sometimes be challenging to comprehend, but investing time in studying them will pay off in later stages of the audit. The Trust Service Criteria include examples for each criterion of the risks and controls that typically mitigate these risks. After understanding the criteria, controls need to be mapped to risks and vice versa.

Mapping Risks and Controls

The most common errors we identify in existing frameworks are unmatched or redundant controls. Unmatched internal control measures are those that do not effectively cover a defined risk or risks for which internal control measures are lacking (unmatched internal control measures). Redundant internal control measures are defined as internal control measures covered by other internal control measures or not covering any risk at all. These redundant controls essentially exist without a real purpose. After this analysis and matching, the next step is creating a control matrix.

Creating a Control Matrix

Documenting control objectives and related controls in a structured control matrix will be beneficial for more than one reason; it will become the source for how risk controls are structured and implemented and will be a significant reference document for your SOC auditors.

Thus, the Trust Service Criteria related to monitoring controls are linked to a list of affirmative controls, demonstrating how these controls mitigate the relevant risk, are well-designed, and effective. In our experience, these should be as detailed as possible; who performs the control? What information is used? What is the outcome? How is this documented? Answering these questions will be very helpful for your auditor to validate that the listed internal control measures are present, designed to achieve control objectives, and effective. In future articles, we will delve deeper into how to structure your control framework. Following this phase, the readiness assessment (pre-audit) ensues, after which the reporting is tailored, and the final audit can be prepared.


Audit Preparation

The process described above may seem a bit daunting, but do not panic. We can support you in this regard. We can help you understand the Trust Service Criteria and advise you on how to effectively align controls with risks and remove redundant controls. Of course, you can also obtain a ControlReports license for ISAE 3402 | SOC 1 implementation or ISAE 3000 | SOC 2 implementation, which provides a well-defined approach and effective workflow for examining, understanding, and defining the different elements. Both ultimately result in SOC reporting in accordance with our industry best practices, based on years of experience. Contact Securance (+31) 30 2800888. 

Outsourcing throughout history

Outsourcing throughout history

 

Economies of scale

Since the industrial revolution, organizations have pondered on leveraging their competitive advantage to expand markets and increase profits. The predominant model in the 19th and 20th centuries was the large integrated organization. In the 1950s and 1960s, businesses broadened their bases to capitalize on economies of scale.

The large integrated organization diversified its product range, requiring more layers of management for expansions. Technological advancements like the internet in the 1980s and 1990s forced organizations to globalize more and were hampered by inflexibility due to bloated management structures. To enhance agility, many large organizations developed a strategy focused on their core activities and core processes.

Principal-agent problem

The focus on core processes initiated discussions about which processes were essential and crucial for business continuity and which could be outsourced to external service providers. Processes or functions lacking internal resources were outsourced to specialized agencies or service providers. Consequently, the principal-agent problem evolved between user organizations and service organizations, and the principal-agent theory and related information asymmetry gained importance in line with outsourcing growth.

Information asymmetry

The most common agency relationship in the financial domain occurs between investors (or shareholders) and the management of a company. The principal may not be aware of the agent’s activities or may be prohibited by the agent from obtaining information. The result is an information asymmetry between the principal and the agent. For instance, management might want to invest in emerging economies while the principal’s risk tolerance is unfavorable. This management strategy might sacrifice short-term profitability, increase the company’s risks, and potentially lead to future higher returns. Investors seeking high current capital income with low risks may not be aware of these management plans. If the consequence of this management strategy results in certain losses, management may be inclined not to disclose this information to shareholders. The development of the accounting profession was a significant global development in mitigating the agency problem.

Risk and resource planning

As indicated above, situations may arise where the agent intends to allocate certain resources of the investors to high-risk investments. The agent is the decision-maker and bears little to no risk as all losses are borne by the principal. This situation may occur when shareholders contribute financial support to an entity that management uses at its discretion. The agent may have a different risk tolerance than the investors due to unequal risk distribution. Alternatively, employees may decide to invest their energy in a project that has no long-term benefits for the organization. Management is responsible for the organization’s financial situation and may be unaware of employees focusing on the wrong goals.

Financial consequences

If the principal is an investor or shareholder of an organization, the principal’s interests are focused on optimizing returns on investments. Returns from investments are distributed as dividends to investors in the short or long term. Principles are focused on optimizing (long-term) dividend yields. Paying high dividends to principals restricts investment opportunities or may cause cash flow problems for the organization’s management. Principals and agents have opposing financial interests in this regard.

The agency theory is also relevant in the management-employee relationship. Employees have an interest in increasing their personal salary and personal satisfaction with minimal effort. Management aims to optimize production or sales volumes at the lowest labor costs. In this context, information asymmetry also exists in the form of incomplete understanding of employees’ daily operations by management. Management is likely to implement budgeting mechanisms and controls to optimize employee activities for the organization’s purpose. The agency theory is also relevant in outsourcing situations.

Agency theory in outsourcing

In general terms, agency theory pertains to all relationships between two parties where one party is the principal and the other is the agent representing the principal in transactions with third parties. Agency relationships occur when principals hire agents to perform a service on behalf of the principals. Principals typically delegate decision-making authority to agents. Because contracts and decisions with third parties are made by the agent affecting the principal, agency problems may arise.

In the situation where activities are outsourced by a user organization to a service organization, agency theory is relevant to all aspects described; information asymmetry, risk tolerance, and committed resources. For example, a financial institution outsources IT services to a managed services provider. The managed service provider lacks insight into the institution’s risk tolerance and may decide that weekly backups are acceptable or that storing data outside the EU is acceptable. The service provider may not inform the organization about downtime of certain servers if this network outage is not identified by the financial institution. The service organization may also be inclined to minimize resources performing activities while attempting to increase fees received. A service organization may have a different tolerance for fraud or may engage in fraud itself. In the pension sector, asset managers can profit by front running transactions from pension funds. This results in the principal-agent problem described above.

 

Benefits: enhancing risk management and transparency

Benefits: enhancing risk management

and transparency

Organizations often face inquiries about security standards from (potential) clients; what are the differences between an ISAE 3402 | SOC1, ISAE 3000 | SOC2, and an ISO 27001 audit? Which standard is more applicable to our business, ISAE or ISO 27001? What are the pros and cons of ISAE versus ISO 27001? ISAE 3402 and ISO 27001 are fundamentally different types of standards with equally dissonant usage. The main differences lie in the reporting format and the conducted audit.

Tangible benefits

  • Risk intelligence
  • Market confidence
  • Audit efficiency
  • Enhanced control

ISAE and security

ISAE 3402 is an attestation from an independent auditor comparing System and Organization Controls (SOC) information to audit objectives or criteria. In an ISAE 3402 (SOC1) report, general IT controls (ITGCs) and thus security are included, but the primary scope is financial procedures and controls. An ISAE 3000 (SOC2) report focuses on the Trust Service Criteria, including security, availability, and privacy, and has more overlap with ISO 27001. A significant distinction is that ISAE 3402 and ISAE 3000 (SOC 2) reports provide an assurance statement, while ISO 27001 is a certification.

ISO 27001

ISO 27001 is a risk-based standard for establishing, implementing, and improving the information security management system (ISMS) of an organization. This standard security framework is maintained by ISO and IEC. The implemented ISO 27001 framework is certified by independent certification bodies. The organization must have the procedures and controls described in the High Level Structure (HLS) and Annex A of the ISO 27001 framework. The resulting security framework mitigates risks through the implementation of procedures and controls. ISO 27001 is a comprehensive system for ensuring information security, and all organizations that have implemented ISO 27001 must have at least an information security management system.

ISO 27001 or ISAE 3402?

The world has changed. ISO 27001 used to be the benchmark for information security, but with information security risks constantly evolving, many organizations require greater certainty about information security. ISO 27001 is a prescribed set of controls, while ISAE 3402 and 3000 standards are based on principles. This means that the controls cannot be formally implemented but work effectively. If so, an auditor will qualify the ISAE 3402 assurance opinion. An ISAE 3402/3000 audit is an in-depth audit focused on the effectiveness of the risk framework in controlling risks. If risks are not effectively controlled, this will be disclosed in the ISAE 3402 report. This level of transparency is required in the global economy and the constantly evolving threat landscape.

ISAE 3402 for assurance on outsourcing

ISAE 3402; assurance on outsourcing

The ISAE 3402 standard is an internationally recognized audit standard issued by the International Auditing and Assurance Standards Board (IAASB). The examination by the auditor of a service organization is widely accepted as it represents a thorough review of the internal control objectives and activities of a service organization. The audit framework and associated control measures are detailed in the System and Organization Report (SOC). The scope of an ISAE 3402/SOC report consists of controls over information technology and operational processes affecting the finances of an organization.

SOC 1 OR SOC 2

SOC reports can be distinguished into SOC 1 and SOC 2 reports. An ISAE 3402/SOC 1 focuses on financial statements and all processes affecting them. An ISAE 3000 (or SOC 2) report is aimed at meeting a broader range of user needs, including concerns about privacy, confidentiality, and system availability. SOC 2 reports are modular based on the Trust Services Principles and Criteria.

Type I and Type II

An ISAE 3402 Type I report contains an opinion from an external accountant on the control measures in place at a specific point in time. The external accountant examines whether internal control measures are adequately designed to provide a reasonable level of assurance that the assertions in the financial statements are achieved and whether internal control measures exist. In an ISAE 3402 Type II report, the external accountant also reports on the operation of these control measures over a predetermined period. ISAE 3402 reports typically cover the design and operation of controls for a 12-month period with continuous coverage from year to year. A report may cover a minimum period of six months.

Aligning external requirements with internal risk excellence

In outsourcing situations, many questions may arise: Are services performed in a controlled manner? How is security handled? Who has access to our information? Are there adequate fraud prevention measures in place? ISAE 3402 provides a solution to these problems.

ISAE 3402 supports organizations in measuring and evaluating risks and aligning the resulting control framework with strategic objectives and these risks. A one-time investment in the framework pays off by enhancing market confidence and organizational excellence.