Our services

With a SOC 2 report, a service organization provides assurance to its customers about the quality of the control measures relevant to service delivery. The report focuses on the processes and systems that the service organization executes on behalf of its customers, and provides insight into the extent to which these operate reliably and in a controlled manner.

A SOC 2 Assurance report is based on the Trust Services Criteria (TSC) of the AICPA, which are divided into five categories: security, availability, confidentiality, processing integrity and privacy. The report assesses whether the controls designed and implemented by the service organization are adequate and (in the case of a Type II report) functioned effectively during the review period.

SOC 2 is thus a widely used IT audit framework for organizations that want to provide transparency about how they secure and manage sensitive data and business processes. It provides user organizations with independent insight into the design, existence and operation of relevant IT and security controls.

An ISAE 3402 report is an independent assurance report by an IT auditor or accountant, which provides assurance about the design, existence and – in a Type II report – the operation of control measures within a service organization. The purpose is to provide user organizations with insight into the extent to which they can rely on outsourced processes that impact their financial reporting.

As organizations increasingly outsource (critical) processes, dependence on the quality and controllability of these services increases. While the primary focus is on processes relevant to financial reporting, the scope – depending on arrangements – can also include broader aspects such as reliability of primary processes, information security, availability and integrity.

The report thus provides assurance about the level of internal control at the service organization, so that user organizations can rely on these controls within their own audit.

ISAE 3000 is an international framework for assurance engagements concerning non-financial processes and control measures. In an IT context, this is often applied to processes such as change management, incident management, service level management, security management, continuity management and software development.

An ISAE 3000 report provides user organizations with independent insight into the extent to which these processes are designed (design), actually exist and – in a Type II report – functioned effectively over a period of time. This makes it possible to demonstrate that the organization has control over critical processes that are essential for the quality and reliability of service delivery, independent of financial reporting.

ISAE 3000 is thus a flexible and broadly applicable assurance framework, ideal for organizations that want to provide assurance about general business and IT processes that determine their service delivery.

Many governments and healthcare organizations offer citizens the ability to log in via an online portal using DigiD. This gives users access to personal data or allows them to, for example, report a move via a digital form. Because DigiD provides access to privacy-sensitive information, strict security requirements apply.

To demonstrate that organizations meet these requirements, the DigiD TPM (Third Party Memorandum) is mandatory in the Netherlands. This annual ICT security assessment (audit) must be performed by an independent IT auditor for all organizations with a DigiD connection (service providers), including municipalities, healthcare organizations, application vendors and hosting parties. The audit consists of a combination of an audit and a technical penetration test.

The DigiD standards framework is based on the web application security guidelines of the National Cyber Security Centre (NCSC). The assessment provides assurance about the extent to which organizations comply with the required standards for information security and DigiD connection security.

The DigiD report contains an overview of findings per standard and is submitted to Logius, the administrator of DigiD. This provides both the user organization and involved service organizations with insight into any shortcomings and areas for improvement.

To optimally prepare organizations, Secure Audit also offers the option of a pre-audit. In this case, we test the extent to which your organization already meets the DigiD standards framework, so that any shortcomings can be remedied before the mandatory DigiD assessment takes place.

A thorough IT risk assessment is the foundation for effective risk management. We identify and analyze IT risks based on business objectives, relevant threats and vulnerabilities.

Our methodology aligns with common frameworks such as ISO 27005, NIST and COBIT, and is tailored to the size and complexity of your organization. The result is a clear risk landscape with prioritized recommendations for improvement.

We assess the design, existence and operation of internal control measures around IT systems and processes. This includes access control, security management, IT operations and business continuity.

The evaluation delivers concrete insights into the effectiveness of your internal control framework and identifies areas for improvement that directly contribute to better management of IT risks.

Organizations in the financial sector are increasingly tested by regulators such as DNB and AFM on their IT management and cyber resilience. We support preparation for and execution of regulatory examinations.

We also advise on the implementation of relevant laws and regulations, such as DORA (Digital Operational Resilience Act), and help organizations bring their IT risk management to the required level.

The platform provides a complete digital work program for each audit engagement. Controls are tested through structured work programs with built-in review and approval flows.

Findings are recorded centrally with risk classification and recommendations. The client can respond directly in the platform and track progress on remediation actions.

All audit documentation is managed centrally in a structured file. From planning and scope to work papers, evidence and the final report. The file is compliant with applicable recordkeeping requirements.

Real-time communication between auditor and client through the built-in messaging system. Information requests, document exchange and status updates all take place through one central platform — no more separate emails.