ISAE audit reports

Efficient process for ISAE 3000/3402 auditors' statements in collaboration with Beierholm Godkendt Revisionspartnerselskab

Document your information security with the popular ISAE declarations

Unitas offers auditors' declarations based on common standards such as ISAE 3000 and ISAE 3402. These declarations are delivered in collaboration with Beierholm Godkendt Revisionspartnerselskab.

Click on the graphic to enlarge the illustration.

Read more below about the individual declarations and the contexts in which they are best used, as well as the process for preparing a declaration.

Did you know that..?

ISAE declarations based on the 3000 standard cover several variants?

1

ISAE 3000 is the typical declaration in relation to GDPR compliance.

2

ISAE 3402 is the typical declaration in relation to IT service providers, e.g. hosting.

3

NIS 2 does not have its own statement yet. Currently, an ISAE NIS 2 statement consists of ISAE 3000 plus 10 controls from ISAE 3402.

Yes, thank you, I would like to hear more
ISAE 3000 – auditor's statement with assurance

ISAE stands for International Standard on Assurance Engagements, and sets the standard for how auditor statements must be carried out with certainty and is typically used in connection with GDPR.

The purpose of an ISAE 3000 audit is to provide an independent assessment of a specific subject or statement based on established criteria. ISAE 3000 is very often used to audit compliance with requirements in a data processing agreement, but can also be used for other purposes.

The declaration is typically prepared by an IT auditor and subsequently approved and signed by a state-authorised auditor.

Unitas offers to organize all the documentation and carry out the controls in the form of an internal audit, so that the final documentation is ready for the state-authorised auditor for approval.

Da Unitas has IT auditors with long experience and the right certifications (CISA, CDPSE), this ensures that both the organization, implementation and preparation of the auditor's statement are in experienced hands, and you can therefore save a lot of money and optimize the process by choosing this model.

The end result is a final declaration with the signature of the state authorized accountant. Furthermore, prepares Unitas a clear action plan for the possible outstanding that may be as a result of the audit.

If you need a GDPR compliance report with a special focus on selected areas, we also offer unbiased inspection reports. See more in the section The individual and impartial inspection report.

As the data controller, the organization itself should continuously check compliance with the data protection regulation in order to document that the GDPR is being complied with. An effective way to do this is through an ISAE 3000 declaration, which clearly demonstrates credibility and security to stakeholders, customers and business partners. With such a statement, the organization can demonstrate that GDPR compliance is not just a claim, but a reality, verified by an independent third party.

In addition, it is possible that an ISAE 3000 declaration is required by one or more customers as part of their supervision of their data processors. Often this requirement is written into the data processing agreement.

In connection with the implementation of the NIS2 directive, it is also planned that suppliers to NIS2 covered entities can report on their compliance with the requirements of the directive in an ISAE 3000 statement, as part of the supplier supervision, in the same way as is known from the data processor agreements.

The audit can cover a wide range of areas such as:

    • Compliance: Compliance with laws, regulations and agreements.

    • IT security: Evaluation of controls related to information security and data protection.

    • Quality management systems: Assessing the implementation and effectiveness of quality controls.

ISAE 3402 is a sub-specialization of the ISAE 3000 statement. The purpose of the audit is to provide an independent assessment of whether the service organization's internal controls are designed and operating effectively. This is particularly relevant for companies that outsource essential business processes to third parties.

The declaration is typically prepared by an IT auditor and subsequently approved and signed by a state-authorised auditor.

Unitas offers to organize all the documentation and carry out the checks in the form of an internal audit, so that the final documentation is ready for the state-authorised auditor for approval. This typically speeds up the processing time considerably, as the preparations for the state authorized accountant's work are optimised.

Da Unitas has IT auditors with long experience and the right certifications (CISA), this ensures that both the organization, implementation and preparation of the auditor's statement are in experienced hands, and you can therefore save a lot of money and optimize the process by choosing this model.

The end result is a final declaration with the signature of the state authorized accountant. Furthermore, prepares Unitas a clear action plan for the possible outstanding that may be as a result of the audit.

The audit typically includes the following elements:

     

      • Risk assessment: Identification and assessment of risks associated with the processes and systems used by the service organization.

      • Control activities: Evaluation of the control activities designed to mitigate the identified risks.

      • Testing of controls: Performing tests to assess whether the controls are working as intended.

      • Reporting: Preparation of a report describing the results of the audit, including a description of the controls, the tests performed and any weaknesses or deficiencies found.

    The corresponding ISAE 3402 report is typically used by your customers and their auditors as part of their own assessment of risk and control environment. The report provides customers with assurance that the service organization has established appropriate internal controls that can support reliable financial reporting.

    SOC 1, 2 and 3 statements

    SOC (Service Organization Control) statements are based on American auditing standards published by the AICPA (American Institute of Certified Public Accountants).

    There are many similarities between SOC and ISAE, and their purpose is the same – to contribute to the user's confidence in the material presented by a supplier.

    SOC 2 is the declaration that is most often requested here at home from American suppliers, or that American customers request from Danish suppliers.

    SOC 2 is based on a number of TSC (Trust Services Criteria) that cover: Security, availability, confidentiality, privacy and integrity. These criteria can be met by using recognized standards such as ISO27000/1 and NIST SP 800-53.

    Most often, an ISAE 3000 declaration can be used for appropriate documentation towards American suppliers, but it is not a guarantee for this. Read more about ISAE 3000 above in the previous sections.

    Unitas can offer to organize documentation and carry out internal audits in relation to SOC requirements, so that it is ready for an internationally represented audit firm to carry out the actual audit and declaration.

    All material is prepared in English and can be supplemented with a formal document that describes how the declaration meets the relevant TSC.

    Both ISAE 3000 and ISAE 3402 statements can be drawn up as type I or type II

    Type I statement: Assesses the design and implementation of the relevant controls on a specific date. It thus provides a status at a given time and is usually used as a first declaration, or in connection with a new service that has only just been launched.

    Type II statement: Assesses both the design, implementation and effectiveness of the controls over a given period, typically 12 and at least 6 months. This gives a more dynamic picture of how the controls work over time and is usually used as part of the ongoing follow-up with suppliers, or as supervision of data processors.

    An ISAE3000 statement can express either limited assurance or a high degree of assurance (reasonable assurance) and is an expression of how extensive the auditor's tests and investigations have been to reduce the risk that deviations have not been recognised:

    • Limited security: Provides a moderate degree of assurance, where the auditor formulates a negative conclusion, typically "nothing has come to our knowledge that gives reason to believe that the material presented is not truthful".
    • High degree of security: Provides a high degree of certainty, where the auditor formulates a positive conclusion, based on extensive tests and assessments, typically: "we can conclude with a high degree of certainty that the presented material is, in all material respects, truthful".

    The process for an ISAE audit includes the following steps:

    1. Planning and preparation: Definition of the scope and objectives of the task, identification of the relevant criteria and standards and agreement on the audit methodology with the client.
    2. Risk assessment: Identification and assessment of risks associated with the specific area to be assessed. This involves an understanding of the context and the control environment.
    3. Control activities and assessment: Evaluation of the controls designed to address the identified risks. This includes a review of documentation and procedures.
    4. Organization of test operations: Taking into account the evaluated controls, the test actions that are assessed to be necessary in order to obtain adequate assurance that the controls are implemented and function effectively are organised.
    5. Execution of tests: Implementing tests and audit procedures to gather evidence that controls are operating effectively and as described. This may include interviews, inspection of documents, and observation and re-performance of procedures and controls.
    6. Conclusion and reporting: Preparation of the auditor's statement describing the audit work, including purpose, scope, methodology, findings and conclusions. The auditor expresses a conclusion based on the evidence gathered. In addition, the client is reported on the observations made during the audit, so that knowledge of possible inappropriateness or weaknesses in procedures and control environment can be addressed.

    Contact us if you want to hear more about an optimized and efficient ISAE declaration process.

    Tagged , , ,

    Pssst! We are right here...

    We love hearing from you! Send us a message and we'll get back to you quickly.

    Lyshøjen 12, 1. tv. – DK-8520 Lystrup

    CVR: 40 97 80 89

    E-Mail: info@unitas.consulting

    Protection of data

    Privacy Policy
    Data ethics

    Unitas is D-marked and has several approved advisers who can secure your D-mark.

    Unitas is on the SKI 02.14 framework agreement and can provide consulting services on competitive terms to the public sector.

    Unitas has been appointed by Børsen as Gazelle 2024
    (as the 10th fastest growing company in Central Jutland)

    Contact Unitas – your partner in security and compliance

    Unitas provides reliable advice in compliance, IT and information security. With a pragmatic approach, we help companies in regulated industries manage security and operational responsibility effectively. Contact us to discuss how we can help you.

    Form for contact page

    NIS 2 implementation calculates

    We throw ourselves around with knowledge...

    Order your free material here and receive it in a few minutes in your inbox. To be safe, check your SPAM folder if necessary.

    Get material ordered on the website sent

    Wanna join? Sign up Unitas' newsletter

    Registration form for newsletter

    UNITAS vulnerability scanning