IT Audits & Assurance

Audits are effective tools for independently and expertly determining whether your company is meeting a certain standard or whether risks have been properly addressed. Assurance entails an independent auditor providing certainty by means of an opinion on a particular process or the effectiveness of measures. Audits can be carried out in many areas. Think, for instance, of the mandatory DigiD Assessment, audits for the purpose of certification, assessments of IT Control (ISAE 3402/SOC) or audits in the context of the financial statements. From an IT perspective, these audits are carried out – or coordinated – by certified Registered EDP Auditors.

What (IT) audits are there?

In principle, an audit can be carried out on all possible processes. Here are some of the audits we do.

DigiD Assessment and Suwinet 
Does your company have one or more DigiD connections? For example, so that citizens can view and pay their tax assessments online? You will then need to take proper security measures to be able to (continue to) use this securely. Your company will be required to render account for this every year. The same applies to the use of Suwinet. For this, too, your company has to demonstrate that it has implemented appropriate measures. This is also part of the ENSIA accountability.

ISAE 3000/ISAE 3402/SOC 
ISAE is the international standard for performing assurance engagements. It comes in several forms, like ISAE 3000 for the assessment of IT Controls and ISAE 3402 for the assessment of IT Controls by service organisations for financial reporting purposes. In addition, ISAE distinguishes between Type 1 (snapshot) and Type 2 (over a period of time) certifications. SOC is a similar standard that has three different forms: SOC 1 is similar to ISAE 3402, SOC 2 is based on established principles (Trust Services Criteria) and also focuses more broadly on control processes, and SOC 3 is a shortened version of SOC 2 for publication purposes. So-called Third-Party Communications or Third-Party Assurance Reports are also based on these standards.

WPG Audit
The Dutch Police Data Act (Wet politiegevens, “WPG”) prescribes periodic internal and external audits. The WPG audit focuses on companies that process data that come under the WPG. This also applies to processing operations carried out by Special Investigating Officers (buitengewoon opsporingsambtenaren, “BOAs”). These usually fall under the responsibility of a municipality, meaning that the WPG applies in addition to the GDPR. The WPG audit was designed to assess how the processing of police data is organised.


What Audit & Assurance services does Cuccibu provide?

Cuccibu has the necessary knowledge, experience and certifications (RE, the title given to registered IT auditors) to carry out audits. In addition to carrying out audits, we also provide support to companies as they prepare for an audit, or help set up the frameworks required to comply with a particular norm or standard.

Wij zijn Cuccibu

Interested or have any questions?

Please feel free to contact us via We would be happy to help you find the solution that best suits your company’s needs.

“We believe that you create added value through secure and responsible digitisation. This leads to opportunities for individuals, companies and society as a whole.”