IT assurance audits are the examination and evaluation of an organisation's information technology infrastructure, applications, strategies, policies, procedures and standards. IT audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business's overall strategy and objectives.
An IT audit, sometimes termed an information systems audit, is today an integral part of an external and internal audit. Our IT audit services provide our clients with robust independent assurance that their IT risks, key governance priorities and core systems are being appropriately managed. Engagements can range from where we express an audit opinion, e.g. under international standards like International Standard on Assurance Engagements (ISAE) 3402/3000, to agreed-upon-procedures, e.g. under the International Standard on Related Services, where we simply report on risks and control weaknesses found.
BDO South Africa has a dedicated team of career IT auditors that can support your organisation with the skills and experience you require. Whether you need a co-sourced or fully outsourced assignment, our team of dedicated professionals can deliver.
For IT-specific audit assignments the methodology not only draws from the Control Objectives for Information and related Technology (COBIT) framework, but also other international standards and frameworks, where necessary, e.g. AICPA’s Technical Practice Aids, TSP sec. 100 or the ISO27001 standard.
IT security certification (SOC 3)
System and Organisation Controls (SOC) are internal control reports created by the American Institute of Certified Public Accountants (AICPA).
Under SOC3 two types of audit reports can be issued:
- SysTrust - Geared primarily towards a service organisation using a wide variety of IT systems.
- WebTrust - Geared primarily towards e-commerce companies and the ability for their systems to adhere to online privacy, consumer protection and certificate authorities, along with one or more combinations of the trust services principles and criteria i.e. security, availability, processing integrity, confidentiality and privacy.
A SOC 2 report is a restricted-use report containing a detailed description of the service auditor’s control tests and results, as well as an opinion on the description of the service organisation’s system. However, a SOC 3 report is a general-use report outlining whether the system achieved the trust services principles and related criteria. It excludes a description of tests performed and results obtained, as well as an opinion on the description of the system.
If a service organisation receives an unqualified report, the organisation may also use the SOC 3 seal on its web site.