Get notified when there's news

Want to stay up-to-date? Sign up for our infoupdate. You'll be notified directly when we publish new content that's relevant to you.

I accept


Solid IT procedures and secure handling of sensitive data have become more important than ever.
August 19, 2022

IT auditor statements: Businesses demand independent documentation 

In sales situations and tenders, it's becoming increasingly common for even smaller companies to prove that they have 100% control over information security. This has led to a significant increase in interest in independent IT auditor statements such as ISAE 3000 and ISAE 3402. "It's crucial to show your customers and partners that you handle their data securely and professionally," says CIO and IT auditor Simon Okkels from inforevision.

Solid IT procedures and secure handling of sensitive data have become more important than ever, and the topic has moved into the boardrooms of companies across the country.

"Documenting your IT procedures used to be seen as an administrative burden, but today it has become an important tool in many companies. Partly because digitalization has made data and IT a major security risk that requires the full attention of the entire organization, and partly because companies increasingly need to be able to demonstrate that they have personal data and procedures under control if they want to bid on projects. Together, this has led to a growing interest in independent IT auditing," says CIO and IT auditor Simon Okkels from inforevision.

Read more about IT auditing and the ISAE 3000 (Data Processor Declaration) and ISAE 3402 (General IT Controls) declarations.

The process is as valuable as the product

Simon Okkels is a Certified Information Systems Auditor (CISA®) - a highly specialized global certification that guarantees deep knowledge of audit processes, reporting and compliance procedures in IT auditing and information security.

Simon Okkels uses these skills when he and his colleagues from inforevision visit data processors, IT service providers and others to prepare IT audit statements.
The statement provides an independent and accurate picture of how a company manages its information security and how the organization works with information and personal data. It provides transparency so that customers and partners can easily see what the company is doing and how well it is doing it. Two of the most common IT auditor statements are ISAE 3000 (Data Processing Statement) and ISAE 3402 (General IT Controls).

"The declaration itself is the product of our work, but often the process leading up to the declaration is just as valuable because it also includes advice and professional sparring on how the company can develop its set-up, streamline workflows and improve quality," says Simon Okkels.

A strong statement requires focus throughout the year

An IT auditor's statement must be renewed annually and typically the process is faster after the first year.

"On the other hand, we focus more on whether the company can prove and document that their processes and controls have worked during the period. Therefore, a strong statement requires an ongoing focus on information security management throughout the year," says Simon Okkels. 

Read more about IT auditing and the ISAE 3000 (Data Processor Declaration) and ISAE 3402 (General IT Controls) declarations.

Simon Okkels
Partner, CIO, IT Auditor
+45 39 53 50 25
so@inforevision.dk