More and more organisations outsource some or all of their business functions, processes and/or operations to specialists in this dynamic and interconnected business climate. As a provider of outsourcing services, you want your customers to rest assured that these services are in safe hands with you. You want to demonstrate that your processes are well-organised, quality is guaranteed and risks are managed and mitigated.

ISAE 3402 (SOC1)

If the outsourced services are related to financial processes, which are relevant to an auditor in the context of their audit of a customer’s financial statements, the service organisation can provide information and assurance on its internal controls in an ISAE 3402 (or SOC1) report.

ISAE 3000

Currently there is an increasing demand for more transparency on non-financial processes. The service organisation can provide information and assurance on its internal controls in an ISAE 3000 report. An ISAE 3000 will cover area’s such as:

Software development
Change management
Service level management
Access control
Project management
Information security

The ISAE 3000 standard also applies to a number of industry and product-specific reports, for instance on online access and identification audits, performance measurement system audits, grant audits, (tax) compliance and software certification.

SOC2 – SOC3

If the outsourced services are primarily IT processes, the service organisation can provide assurance on its internal controls in a SOC 2 and/or SOC 3 report. An SOC 2 and/or SOC 3 report will cover one or more of the following aspects:

Security
Availability
Confidentiality
Processing Integrity
Privacy

An SOC 2 report is for limited distribution only, meaning that it is intended for your customers, their auditors – if required – and other stakeholders, such as your customers’ security officers. If you don’t want a restriction on the distribution, a SOC 3 report would be an appropriate alternative. This ‘concise’ version of the SOC 2 report is for a general audience and is suitable for publication, e.g. posting on your website.

Compliance assurance

Regulators are increasingly introducing extra rules and regulations that force organisations to demonstrate that they comply with the requirements. This is a direct result of technological developments, new entrants and integrated business chains. Examples of such assurance audits are:

Deposit Guarantee Scheme SCV assurance: Dutch banks are required to guarantee consumer savings under the Deposit Guarantee Scheme (DGS). The Dutch Central Bank (DNB) requires banks to generate a single customer view (SCV file) of all deposits held by a deposit holder within seven business days in order to pay out the guaranteed amount within the specified deadline. The bank must instruct an external auditor on an annual basis to form an opinion on whether it can be stated with a reasonable degree of assurance that the bank complies with the provisions of the SCV policy rule through an ISAE 3402 report.
ENSIA: local authorities are subject to a single information audit (Dutch acronym: ENSIA). With effect from 2017, Dutch local authorities have had to undergo a single information audit of their information security systems. The new Government Information Security Baseline (Dutch acronym: BIO) came into effect in 2020; this will also affect ENSIA.

Technology assurance

There are forms of IT assurance that concern a mix of organisational structure, processes, procedures and suchlike, with a strong focus on the reliability of technology, such as:

Artificial intelligence and algorithms. These technological developments are omnipresent nowadays. The future offers many opportunities, but also poses threats to organisations wanting to manage and control the applicability of said technology. The public demands more transparency and assurance regarding the control and digital decision-making of these algorithms. Politicians and regulators alike are voicing their opinions by stirring up a debate on the criteria that algorithms are expected to meet to address potential risk areas.
Blockchain, smart contracts and distributed ledgers. These technologies are likely to trigger a digital disruption in nearly all industries. Although the use of blockchain technology creates opportunities for organisations, it also presents new risks. As a result, organisations are struggling to make informed choices about blockchain applications. Key aspects in making these choices are the potential IT risks and the controls that can be put in place to mitigate these risks.

Supplier Security & Privacy Assurance (SSPA)

Strong privacy and security practices are the foundation of trust. Applicable to all suppliers who handle Microsoft personal or confidential data on the company’s behalf, Microsoft’s Supplier Security and Privacy Assurance (SSPA) initiative is designed to standardize and strengthen the handling of sensitive information on a global scale. As a Microsoft Preferred Assessor, BDO can help current and prospective Microsoft vendors meet SSPA program requirements as they seek to initiate or renew contracts. Having collaborated with the Microsoft SSPA team on the latest program updates, our team of professionals are equipped—and trusted by Microsoft—to counsel clients throughout each stage of the compliance process.

Our services

BDO can help you by issuing an independent and objective assurance report on your internal control structure, which will allow you to demonstrate to your customers and other stakeholders that you are in control. An assurance report meets the requirements of your user organisations, such as confidentiality, availability and integrity of data processing.

Contact

To find out more about how BDO can help you, please feel free to contact one of our specialists with no strings attached.