Skip to main content


Welcome to Certicus

Assurance Solutions

Certicus provides assurance services to a wide range of industries. At Certicus we believe that the combination of extraordinary talent and innovative technology will create incredible results. Our staff is dedicated to your business, professional and result focussed.
Quality and professionalism are part of our identity. Each member of our team commits to the highest standards.
We have 25+ years of experiences at top class companies in the IT and financial services industry.

Our Projects

News & articles

Organizations grow through improving internal control

Frequently Asked Questions

To obtain an ISAE 3402 certification you must have a description of your internal control. Such a report is known as a Service Organization Control Report (SOC 1). You will need to have this report audited by an external auditor. This accountant does not actually certify, but provides an assurance report in accordance with the ISAE 3402 standard with your SOC. There are specific requirements for the content of such a SOC 1 or ISAE 3402 report.

Many organizations focus on their core activities. Non-core activities are outsourced to other organizations. Both from a supervisory organization and due to the decreasing trust between market parties, the demand for certainty (assurance) about the outsourcing has increased. An ISAE 3402 provides assurance on all processes that ultimately affect the financial statements of the user organization.

Many organizations supervised by the Dutch Central Bank are required to demonstrate the real management of outsourced processes. An ISAE 3402 report can be helpful in this process and is increasingly being made compulsory by organizations like care offices, the AFM. International companies that are supervised by the SEC and that are required to comply with SOx 404 are also required to comply with all the requirements of ISAE 3402 or SSAE16 for the processes they outsource. In cases, therefore, the demand for ISAE 3402 is certainly justified.

You might be able to do this. An ISAE 3402 report must meet a number of form and content requirements. The ISAE 3402 standard is a public standard, you can download and consult it from our website. An ISAE 3402 report must at least contain a description of the control framework and a management confirmation with regard to that internal control.

ISAE 3402 is the international standard for outsourcing, which means that you meet international requirements that are also recognizable for both your domestic and international clients. Compliance with the ISAE 3402 standard is required in many tenders. Another advantage is that it is no longer necessary for your client to send its own auditors to you. In addition, ISAE 3402 is often used as a means to standardize and better organize processes in the organization.

That is mandatory. You must include information systems that affect the financial statements in the ISAE 3402 report (ref. ISAE3402.16). It is therefore often important to describe the controls in your operating system (Windows Server or Linux) in the ISAE 3402 report.

This is an example of the elaboration of the Dutch ISAE 3402 practice. SOx404 and the PCAOB standard require, for example, a daily check-up to be tested 25 times. The ISAE 3402 standard does not have these requirements. The ISAE 3402 standard stipulates that the service auditor must determine a sample size so that the risk is reduced to an acceptable level (Standard 27 b).

The Exclusion or Carve-out method concerns how the services provided by a sub-service organisation are handled. In this context, the description of the service organisation of its system includes the nature of the services provided by a sub-service organisation. However, the relevant internal control objectives and the related internal control measures of the sub-serviceorganisation are excluded from the description of the service organisation of its system as well as from the scope of the service organisation's auditor's engagement. The description of the service organization's system and the scope of the assignment of the service organization's auditor contain internal control measures of the serviceorganization that monitor the effectiveness of a sub-serviceorganization's internal control measures, which may imply that the service rganization assesses an assurance report regarding the sub-serviceorganization's internal control measures.