Xcina Case Study

Control Assurance Audit (ISAE3402 Type II) for Asset Management Organisation

The client

Channel Islands Asset Management Organisation

The work

Our Client has offices in the Channel Islands and mainland UK and had received requests from both current and potential investors to detail its internal control framework. This documentation had to take the form of a Service Organisation Control (SOC) report. Following discussion, it was agreed that the SOC report that provided a best fit for the client’s requirements was an ISAE 3402 Type II report (International Standards for Assurance Engagements No. 3402). A Type II report describes the service organisation’s controls in addition to detailed testing to determine the operating effectiveness of the service organisation’s controls over a minimum six-month period.

How we helped

We held a workshop with Client stakeholders to discuss the different types of SOC reports and to propose the most appropriate (being ISAE 3402) based on the understanding of the business and its detailed requirements. We then assisted the Client in documenting its ‘System’ to highlight the processes, policies, procedures and operational activities that supported the core activities relevant to user entities (e.g. their customers) as required in an ISAE 3402 report. Following the Client attesting to the now completed accurate documentation for its System, we tested specific controls to determine the System’s overall operating effectiveness and documented this in a report, adhering to the requirements of ISAE 3402 reporting standards.

Value added

We successfully navigated the Client through the complex matrix of assurance reports explaining the benefits and best fit for different types of organisations. The provision of the correct type of report and our assistance in clearly documenting the System for the Client, meant that it was able to provide the report to its investors in order to clearly demonstrate the controls in place within the business and, additionally, that those controls had been operating effectively for the previous six-month period. This enabled the Client’s investors to have comfort that there was a robust control framework in place.

Industry and sector:

Financial Services

Solutions and service area:

What our clients say

"Xcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what we’re trying to do. "

Getac Technology Corp, Legal Affairs Center

"Xcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what we’re trying to do."

ParkMobileUK, Managing Director

"Xcina Consulting performed an annual review of our card data environment, and ensured that we are compliant with the PCI-DSS. We continue to work with their experienced QSAs, leveraging their guidance and best practices so we have the highest possible level of security controls in place."

DKB Brands, Data Protection Officer

"Xcina really helped us to kick start our data protection compliance process. They took the time to speak to all departments of the business and outlined our highest risk to lowest risk areas. The insight and guidance they provided was essential for our business to become GDPR compliant."

Portman Settled Estates Limited, Estate Secretary

"Xcina’s ongoing support has ensured that our employees feel confident when dealing with data protection matters, with best practice knowledge and expertise from consultants who have taken the time to get to know our business and our industry."

National Bank of Kuwait, Compliance Officer

"Xcina worked with us on a number of data protection matters, including subject access requests and gave helpful, practical advice which reflected their understanding of technology issues as well as legal matters."

Your World Recruitment, Group IT Director

"We have worked with with Xcina successfully for two years, initially on internal GDPR GAP analysis. We now have them engaged as our ‘Virtual DPO’ provider and regularly receive useful, pragmatic and, more importantly, actionable advice on all areas of Data Protection."

Quadrangle Research, Group Chief Operating Officer

Discover how we have supported businesses like yours >>

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>