IT service providers in the financial industry are constantly confronted with increasing regulatory requirements. Outsourcing is now a frequent focus of regulatory audits. This makes it all the more important not only to comply with current rules and standards, but also to have them certified by independent third parties.
An important international auditing standard for IT outsourcing projects in this context is ISAE 3402 (International Standards for Assurance Engagements), which enables the outsourcing company to assess the internal controls of the service provider and thus gain a holistic view of its own internal control system (ICS).
finone GmbH was audited by an independent auditor in accordance with ISAE (Type 1) without any objections. The audit in accordance with ISAE (type 2) will take place at the end of 2024. finone thus once again meets the high regulatory requirements.
The outsourcing of components of IT and software products is defined by BaFin, for example, through the definition of minimum requirements for risk management (MaRisk) on the basis of Section 25a of the German Banking Act (KWG) and in more detail in the banking supervisory requirements for IT (BAIT) in narrow guidelines.
However, even when outsourcing to third parties, the responsibility remains with the company itself and is not transferred to the service provider. ISAE 3402 therefore offers outsourcing companies the opportunity to obtain the necessary information for their own internal controls or to make use of third-party audits.
ISAE 3402 distinguishes between two types of report:
Customers from the financial sector in particular were expected to request such a report from their service providers – which finone was happy to fulfill. Certification to ISO 9001 (quality management) and ISO 27001 (information security) took place early on in the company’s history. Due to finone’s focus on the financial industry with the successful finstreet and fintus brands, the decision was made to have an ISAE 3402 (Type 1 and 2) audit report prepared and externally audited as further documentation of internal efforts and established controls.
In addition to a statement by the company management assuring that the control system was correctly presented and that the control objectives were achieved with the controls implemented during the entire audit period, the ISAE 3402 report contains the following points, among others:
Preparations began as early as 2023 and an auditor was commissioned, as a prerequisite for the audit is the preparation of the report by an independent body. When formulating the relevant processes and control objectives, finone was guided by the necessary control objectives of customers in the financial industry.
From 2024, finone will have an ISAE 3402 (Type 2) report prepared annually, which will then cover an audit period of an entire year. Control reviews will also take place in this context so that the report can be supplemented with additional control points if required.
The financial industry is one of the most regulated sectors in Europe. Together with our clients, we face up to the ongoing challenge.
Article
Digital transformation requires financial institutions to become more ...
fintus is part of this year's Finance Forward conference as a partner ...
2022 - how will the markets behave? Are rising interest rates and ram ...