IT Audits & Assurance

What (IT) audits are there?

In principle, an audit can be carried out on all possible processes. Here are some of the audits we do.

DigiD Assessment and Suwinet 
Does your company have one or more DigiD connections? For example, so that citizens can view and pay their tax assessments online? You will then need to take proper security measures to be able to (continue to) use this securely. Your company will be required to render account for this every year. The same applies to the use of Suwinet. For this, too, your company has to demonstrate that it has implemented appropriate measures. This is also part of the ENSIA accountability.

ISAE 3000/ISAE 3402/SOC 
ISAE is the international standard for performing assurance engagements. It comes in several forms, like ISAE 3000 for the assessment of IT Controls and ISAE 3402 for the assessment of IT Controls by service organisations for financial reporting purposes. In addition, ISAE distinguishes between Type 1 (snapshot) and Type 2 (over a period of time) certifications. SOC is a similar standard that has three different forms: SOC 1 is similar to ISAE 3402, SOC 2 is based on established principles (Trust Services Criteria) and also focuses more broadly on control processes, and SOC 3 is a shortened version of SOC 2 for publication purposes. So-called Third-Party Communications or Third-Party Assurance Reports are also based on these standards.

WPG Audit
The Dutch Police Data Act (Wet politiegevens, “WPG”) prescribes periodic internal and external audits. The WPG audit focuses on companies that process data that come under the WPG. This also applies to processing operations carried out by Special Investigating Officers (buitengewoon opsporingsambtenaren, “BOAs”). These usually fall under the responsibility of a municipality, meaning that the WPG applies in addition to the GDPR. The WPG audit was designed to assess how the processing of police data is organised.