IT-Audit Services

An ISAE 3402 report is an independent assurance report by an IT auditor or accountant, which provides assurance about the design, existence and - in a Type II report - the operation of control measures within a service organization. The purpose is to provide user organizations with insight into the extent to which they can rely on outsourced processes that impact their financial reporting.

As organizations increasingly outsource (critical) processes, dependence on the quality and controllability of these services increases. While the primary focus is on processes relevant to financial reporting, the scope - depending on arrangements - can also include broader aspects such as reliability of primary processes, information security, availability and integrity.

The report thus provides assurance about the level of internal control at the service organization, so that user organizations can rely on these controls within their own audit.

ISAE 3000 is an international framework for assurance engagements concerning non-financial processes and control measures. In an IT context, this is often applied to processes such as change management, incident management, service level management, security management, continuity management and software development.

An ISAE 3000 report provides user organizations with independent insight into the extent to which these processes are designed (design), actually exist and - in a Type II report - functioned effectively over a period of time. This makes it possible to demonstrate that the organization has control over critical processes that are essential for the quality and reliability of service delivery, independent of financial reporting.

ISAE 3000 is thus a flexible and broadly applicable assurance framework, ideal for organizations that want to provide assurance about general business and IT processes that determine their service delivery.

Many governments and healthcare organizations offer citizens the ability to log in via an online portal using DigiD. This gives users access to personal data or allows them to, for example, report a move via a digital form. Because DigiD provides access to privacy-sensitive information, strict security requirements apply.

To demonstrate that organizations meet these requirements, the DigiD TPM (Third Party Memorandum) is mandatory in the Netherlands. This annual ICT security assessment (audit) must be performed by an independent IT auditor for all organizations with a DigiD connection (service providers), including municipalities, healthcare organizations, application vendors and hosting parties. The audit consists of a combination of an audit and a technical penetration test.

The DigiD standards framework is based on the web application security guidelines of the National Cyber Security Centre (NCSC). The assessment provides assurance about the extent to which organizations comply with the required standards for information security and DigiD connection security.

The DigiD report contains an overview of findings per standard and is submitted to Logius, the administrator of DigiD. This provides both the user organization and involved service organizations with insight into any shortcomings and areas for improvement.

To optimally prepare organizations, Secure Audit also offers the option of a pre-audit. In this case, we test the extent to which your organization already meets the DigiD standards framework, so that any shortcomings can be remedied before the mandatory DigiD assessment takes place.