Guidance for accountants reporting on controls of a service organization relevant to the financial reporting of user organizations was primarily included in SAS 70. This regulation focused on risks related to financial reporting. However, it was often misused for reporting on operations or compliance. The SSAE 16 and ISAE 3402 regulations were established to address these issues.

EIOPA’s final postponement regarding the implementation of Solvency II in Europe (the start date is now set for January 1, 2014) ends an uncertain time for insurers. The reason for the postponement, announced in late 2011, has since been explained through Q&As and consultation papers. However, a number of questions remain unanswered, such as:

-  When will the outstanding issues (that emerged from the consultation papers, for example) be resolved?

- To what extent can insurers implement Solvency II in 2013?

Solvency II will have far-reaching consequences not only for insurers but also for the capital market.

Insurers, pension funds, and consultants have been anticipating the implementation of Solvency II for some time. In brief, Solvency II demands a more comprehensive risk management framework and higher capital requirements for European insurers.

As of February 1st, TCS Fund Services B.V. (part of Teslin CS) has completed the implementation of ISAE 3402. This demonstrates the organization’s control over internal processes.

EUROPEAN PRIVACY REGULATION

The European Commission has decided that the current legislation no longer aligns with the continuous changes resulting from digitization. This new privacy regulation comes in the form of a European regulation applicable to all organizations in the European Union; the General Data Protection Regulation (GDPR). The GDPR applies directly in all EU member states without the need for transposition into national law.

Risk management is a tool to systematically and explicitly identify, evaluate, and better manage risks by addressing them proactively. Risk management is based on conducting risk analyses.

In risk management, risks are controlled by determining how to manage the likelihood of the risk occurring or its consequences for identified risks.

As of January 2017, Student Experience Beheer B.V. holds an ISAE 3402 Type II report. This demonstrates that Student Experience meets high-quality standards and that its processes are in order according to international norms.

This article provides 4 steps to better oversee the audit process and work more efficiently.

Step 1. Is there a subservice organization?

The so-called subservice organizations represent a special class of suppliers. These are defined as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.”

Most businesses think of SaaS companies when they think of ISAE 3000 | SOC 2 compliance. However, most businesses in the travel industry (SaaS or not) need to collect and store consumer data to some extent. So, if the company manages a database – large or small – the companies must implement the latest and most effective cybersecurity protocols.

If you are a service organization and your customers entrust you with their data, you may need to pass a SOC 2 audit to sell your products. Your customers might now demand an audit report from you, or industry regulations might require it. You may need to provide proof of SOC 2 compliance to demonstrate that the data entrusted to you is well secured.