Pretty recently was indulged in a discussion around the need of Certification to the Need of Assurance. It was a pretty interesting discussion that led me to evaluate the conceptions and misconceptions that prevail in the industry. I thought why not share it with the rest of the folks who would like to participate in the discussion here (though the discussion is over in the real life)
The discussion was more centered around the need of Assurance Standards like SSAE 16 and ISAE 3402 and the interesting twist that was brought in was "If my organization is ISO 27001 Certified, do I still need to undergo SSAE 16 or ISAE 3402 Audits?"
It took me good enough time initially to make the person understand that the ISO 27001 standard and the controls framework revolves around the Information Security and not just IT Security. The certification process and the audit methodology involved has a different perspective from the perspective that SSAE 16 or ISAE 3402 Audits take.
Another argument that was thrown in during the discussion was SSAE 16 and ISAE 3402 are aligned to the Financial Industry and the other industries do not have much benefit of adopting these standards. I had a tough time addressing this point as the set of people were not ready to understand the point for the misconception had a deep rooted belief behind it. To explain them I had to then break the entire Audit and Reporting perspective of SSAE 16 and ISAE 3402 by the Audit Reports and the manner in which Audit is Approached. The discussion went from points to tangents with the counter arguments, and there I had to actually dissect the SSAE 16 and ISAE 3402 Reporting requirements as based on the Impact to ICFRs and the Trust Principles. The explanation around Corporate Governance and impact to ICFRs and the relationship between SSAE 16 SOC 1 Type II and ISAE 3402 Type II report helped the audience to clarify the misconceptions they were carrying.
Another aspect that came in to my notice is the misconception around the Reporting requirements in ISAE 3402. I was a bit startled that one of the person from a Senior Audit Position came with the SOC 2 Reporting requirements for ISAE 3402. I clarified to them that there is no SOC 1, SOC 2 or SOC 3 reporting requirement in ISAE 3402, however ISAE 3000 provides with a provision to customize the ISAE 3402 reports to suit the Reporting Requirements and that the ISAE 3402 Report may be based on SOC 1, SOC 2 or SOC 3 as may be deemed reasonable.
The next point was to distinguish between the Certification and the Audit Report to provide "Reasonable Assurance". Most of the participants in the discussion carried a misconception around SSAE 16 and ISAE 3402 about the "Certification". They thought that the Auditors issue or release a Certificate of Compliance. However, they well noted when explained that the SSAE 16 as well as ISAE 3402 Audits do not result in any certification, rather they result in issuance of an Audit Report that "may be" called a Report on Compliance Status and where the Auditors provide with "Qualified" or "Unqualified" opinion on Service Organization's Controls as defined and implemented for the given "client" operations.
This however is not the first time that I had been in such a situation, where I had to explain the requirement to undergo an Audit that is more of Attestation Audit than a Certification Audit. But I hope that as these two standards come more into practice, the situation would not look so grim to me.
No comments:
Post a Comment