IT Assurance
A prerequisite for doing business these days is having your IT environment in good order. If you want to provide assurance to your clients and other partners about the internal control of IT, you have to be able to provide the right IT assurance reporting standards. Proactively testing your own internal IT control framework of your activities will give your organisation the opportunity to stand out from the competition. We can assist your organisation by conducting audits and providing the required assurance reports in good time. Our IT auditors are familiar with virtually all national and international assurance standards and are here to help you with all your assurance issues.
Broad knowledge and expertise
As IT auditors at Baker Tilly, we are familiar with virtually all national and international assurance standards. All industries and sectors have their own standards. The familiar standards that we work with include the Single Information Audit Unified Norm, the requirements of the Dutch Police Data Act, the government information security baseline, ISAE 3000, ISAE 3402 – SOC1, SOC2, SOC3, and SOC for Cybersecurity and the Dutch Association of Registered EDP Auditors’ Privacy Control Framework.
If you are interesting in finding out how the assurance process works in practice, feel free to read about how we advised Arnhem-based ICT company, Diabolo ICT, when they needed an ISAE statement, because some of their clients required it.
Our assurance services
-
-
For the Single Information Audit Unified Norm, municipalities have to inform municipal councils about the extent to which information security is in order for various aspects of their administration. In particular, the DigiD environments and the Work and Income Implementation Structure environments fall within the scope of IT audit processes. The report that this work produces is given to regulatory bodies, such as Logius or ministries.
-
-
The Dutch Police Data Act stipulates that organisations employing a special investigating officer must report to the Dutch Data Protection Authority once every four years on how privacy-sensitive data is handled. The first year for which organisations employing a special investigating officer had to account for was 2021. The next year for which an external audit will have to be carried out is 2025. In the meantime, our auditors are happy to help these organisations to conduct their annual internal audit on data subject to the Dutch Police Data Act.
-
-
The purpose of the government information security baseline is to ensure information security in the public sector. Currently, public-sector organisations have an obligation to comply with the information security baseline, but it is not yet mandatory to engage an external auditor to examine whether these organisations actually comply with it. We would like to see this obligation imposed, however, because only then will information security in the public sector, as well as in organisations providing services to governments, be taken to the next level. Nevertheless, we are already conducting IT security baseline audits at several public-sector organisations. This is a positive development and we are happy to serve more government organisations.
-
-
An ISAE 3402, which is similar to a SOC1 report, is compiled for your clients’ annual audit. This report allows your clients’ auditors to assess the quality of your services as part of their annual audit. The scope of this report is therefore limited to what is relevant for the audit. This often also concerns IT subjects.
-
-
SOC2 and SOC3 reports are intended to provide more general assurance to your clients about the quality of your IT services, for instance in terms of security, continuity or integrity.
-
-
The SOC for Cybersecurity is designed to account for your organisation’s cybersecurity programme. You can use a SOC for Cybersecurity assurance report to engender trust among your clients specifically on this topic.
-
-
The Privacy Control Framework is a standard in the Netherlands for providing assurance to clients and other stakeholders about the degree of privacy control at an organisation. You can use this report to substantiate that you handle the privacy-sensitive data given to your organisation with due care.
