There are several types of IT auditor statements that are used for different purposes and businesses. They can also cover different time periods.
What the declarations have in common, however, is that they are international declaration standards. Therefore, they also serve as documentation for customers and business partners abroad.
Two of the most common IT auditor statements are:
As auditors, we speak with a high degree of certainty about the technical and organizational security measures you as data processors have put in place to protect the data you handle on behalf of your customers.
We provide this statement if your company is an IT service provider - this could be hosting, operating an IT function, storing data for customers or providing Software as a Service (SaaS). An ISAE 3402 statement provides a picture of the overall state of your information security management and ranges widely - from the IT-related business processes that can affect financial reporting to the physical location of your servers. The starting point for our work is ISO 27001, the international management standard for information security.
The statements are prepared as either a snapshot (type 1) or a period statement (type 2).
A snapshot: This statement is about how your controls are designed and implemented. As IT auditors, we perform a series of procedures to obtain reasonable assurance about whether your description of the services and controls is fairly stated in all material respects and whether the controls are suitably designed in all material respects.
Periodic assurance: This assurance is about your design, implementation and effectiveness of described controls for a specific period, typically 12 months. Again, as IT auditors, we perform a number of procedures to obtain reasonable assurance about whether your descriptions of services and controls are fairly stated in all material respects. We also verify whether the controls are appropriately designed and whether the controls have operated effectively in all material respects during the period.
Read more about IT auditor statements:
Deciding whether to get one or the other statement can be complex, and there are also several factors that come into play. Therefore, we recommend that you seek advice and guidance before making a decision on whether or not to get an IT auditor's report.
If you want to know more about the different types of declarations, what they require and how they can improve safety and quality in your business, contact us for a no-obligation sparring session.