ISAE3402 TYPE II
Since January 13, 2012, an ISAE3402 type II declaration has been issued every year by an independent accountant for the ASP solution of Aryza in the Netherlands (formerly Collenda Netherlands).
Why ISAE3402?
You can compare the ISAE3402 statement with proof of quality. Erik Koch, Director: “We came into contact with ISAE3402 through one of our customers. If a company has (partly) outsourced IT, it is logical that they want to test this for quality. ISAE3402 is a special quality standard for IT for financial institutions. We now have proof that our ASP solution is a good and safe choice.”
What is ISAE3402?
More and more organizations are outsourcing activities to service organizations, such as Aryza, to varying degrees. These outsourced activities can impact the financial reporting of these organizations. The management and accountant of this outsourcing organization will need to obtain information in some way about the management of the activities that have been outsourced to the Service Organization.
This ISAE3402 type II report has been drawn up for the clients (user organizations) of Aryza Nederland and its (external) accountants. Aryza provides insight into how the quality of service is guaranteed. The opinion of the external auditor on the adequacy, design and existence of internal control has been added.
To meet the need to obtain information on the control of outsourced activities, the international standard ISAE3402 (International Standard on Assurance Engagements No. 3402), “Assurance Reports on Controls at a Service Organization” has been drawn up.
An ISAE3402 examination focuses on predefined internal processes and control measures within a service organization. The scope of an ISAE3402 investigation, the so-called scope, is twofold; all processes that influence the annual accounts of the user organization are included in the scope, in addition, the service organization itself can define processes that are included in the scope. An independent accounting firm conducts research into the design, existence and possibly operation of these procedures and reports on this.
The scope of the ISAE3402 reporting
This ISAE3402 report relates to the core of Aryza’s services as a SaaS provider, which is laid down in the Service Level Agreements (SLAs/management contracts) and maintenance contracts with its customers and the technical management of its applications. The General IT Controls are aimed at continuous and reliable information provision and apply exclusively to customers who use the SaaS services. The consultancy services that Aryza Netherlands offers are not part of this primary service and therefore do not form part of the scope of this ISAE3402 report.
The most important parts of the core processes at Aryza Nederland are the development and maintenance of our systems and applications and the guarantee of the continuity of the systems for the benefit of its customers.
In addition to policy aspects regarding risk management and quality, the ITIL processes (Service Level, Incident, Problem and Change Management) and the infrastructure of the SaaS solution have also been audited.
Looking ahead
Aryza Nederland attaches great importance to quality and risk management. Several internal and external audits take place during the year to continue the latest ISAE3402 type II declaration. The certification indicates that the design and control measures worked effectively last year for our organization and the processes outsourced by customers at Aryza Netherlands.
The ISAE report itself contains confidential information and can be requested in writing by our customers. You can download the certificate of registration in the ISAE3402 register on this page.
For more information about ISAE3402 and the register, visit the site ofCorporate Governance Foundation.