IT Audit & ISAE 3000/3402-How to get an IT auditor statement

Our goal is high quality and an efficient process with a minimal drain on your company's resources.

Home page Digital Trust ISAE 3000 / ISAE 3402 (GDPR) How do I get an IT auditor's statement?

HHow do I get an IT auditor's report?

IT audits are like regular audits: the better control you have over supporting documents and documentation, the smoother the audit process will go. 

That's why it's important that you have IT policies and procedures for information security in place and that execution is high on the to-do list. 

We guide you

When you first get a declaration, the declaration process may be preceded by a maturation phase. You may have some sound processes in place, but they may not be written down or the execution well documented. Here we are ready to guide you on the right path.

In the following years, you will get to the declaration process faster. However, there is more focus on proving and documenting that your processes and controls have worked during this period. A strong declaration therefore requires an ongoing focus on information security management throughout the year. 

The declaration process always concludes with a review of our observations, recommendations and comments. 

How an IT auditor's report is created

The declaration process itself typically takes 3-4 weeks, depending on how many resources you as a company can make available along the way.

In general terms, the process works like this:

1. Clarification

We'll discuss your needs and clarify which type of IT auditor's report is right for your business. 

2. Preparation

Together with you, we get an overview of the materials. What relevant policies, procedure descriptions, etc. do you have that we can read and review? And is there anything that should be implemented before we start the actual declaration work?

3. audit

In the audit process, we review material and documentation for your controls and procedures. During the process, there will be 2-4 audit meetings where we review questions and requests. The meetings take place either physically at your premises or digitally.

4. Declaration

We issue a statement describing the controls we have tested to provide a high level of assurance

5. Supervision

An IT auditor's certificate always has an expiration date and therefore needs to be renewed regularly. Usually it's once a year. We'll agree when it suits you best.

Read more about IT auditor statements:

Let's discuss your IT audit needs 

At inforevision, we draw on knowledge and experience from a wide range of industries. But our starting point is always the reality of your business.

We are ready to discuss with you how we can best approach the task. Our goal is to ensure high quality and an efficient process with a minimal drain on your resources.

If you want to know more about the different types of declarations, what they require and how they can improve safety and quality in your business, contact us for a no-obligation sparring session. 

Download our pdf publication on the topic: ISAE 3000 and ISAE 3402 - Auditors' Statements on Information Security and Data Processing Agreements (GDPR).

Contact Simon

Simon Okkels is a Certified Information Systems Auditor (CISA®) - a global certification that guarantees deep knowledge of audit processes, reporting and compliance procedures within IT auditing and IT and information security.

Contact John

John Søbjærg is a state-authorized public accountant with in-depth knowledge of small and medium-sized companies in many industries. He has many years of experience in advising companies and issuing auditor's reports. 

We are always ready to meet

Let's have a no-obligation conversation about what you and your business need and what we can offer. Just fill in the fields in the form and we will contact you shortly.

You are also welcome to call us at +45 39 53 50 00 or send an email to

Employees
140

Customers
3900

Revenue
+150 million

Year of establishment
1986

Growth per year
10%