Skip to main content


Organizations face ongoing challenges to comply with ever-mounting rules and regulations. Simultaneously organization focus on new and persistent risks as a consequence of providing services from the cloud. IT failures can lead to customer loss, reputational damage and high-profile legal exposure. In the environment risk management should be a strategic assets resulting in more confidence from customers and consequently more financials yields. Our approach supports this process.

Our approach

The core attributes of our approach are efficiency and minimizing the disruption of operational processes during the implementation and audit. This requires effective planning and open communication with our customers during the planning phase, throughout the entire engagement and particularly during the reporting and audit phase. Our approach is focused on delivering quality throughout the entire process and is subject to the Risklane and Conclude Accountants quality standards. In our approach, the process of the implementation and audit of ISAE 3402 or ISAE 3000, each consists of five phases. These phases are outlined below:

Phases implementation

In Phase 1, the scope of the controlreport (SOC1/SOC2) will be determined by the management of the organization, reviewed, and adjusted if necessary. The scope of de ISAE 3402/SOC1 or ISAE 3000/SOC2 report will be either all financial controls (SOC1) or all General IT Controls (SOC2).

Based on the quality of existing process descriptions and internal manuals, a detailed plan is prepared in Phase 2, in which the various milestones are identified and arrangements with management are made.

In Phase 3, the descriptions of the controls of the your organization are analysed based on interviews with your staff. Furthermore the control framework is reviewed and enhanced based on the COSO 2013/ COSO 2017 (ERM) framework and the ISAE 3000/ ISAE 3402 report is drafted. The deliverable of this phase is a organization specific Control Report report, consisting of control matrices, in which controls and related control objectives are described.

After drafting the ISAE 3402 report in Phase 3, a pre-audit or "walkthrough" will be performed by Risklane in Phase 4. During the pre-audit, all controls are tested and problem areas are identified for the final ISAE 3000 or ISAE 3402 audit. The pre-audit includes a walkthrough of operational procedures, scripting for application controls, monitoring & incident handling procedures, physical security measures and GITC procedures.

During Phase 5 improvements in the organization are discussed and solutions for the identified problem areas are implemented in consultation with your employees. 

Our Services

In this process our services focus on the project management leading to an ISAE 3402/SOC1 or ISAE 3000/SOC2 compliant report. These services include:

Overall project management for the implementing of an SOC1/ SOC2 report, including support on integrated project planning and the description of the controls.

Discussion with management of your organization with respect to the planning, implementation and scope of the audit.

Acquire existing documentation and interview your employees on existing controls and the control environment.

Deliver support in the documentation of the identified controls and improve existing processes and process descriptions if necessary.

Performing a walkthrough (pre-audit) focused on identifying possible issues that may arise during the final audit phase. This pre-audit will be performed under the responsibility of your organization and as such will be a part of the quality assessment of the organization.


Report the progress of the ISAE 3000 / ISAE 3402 project to the management of your organization on a regular basis.