Control Assurance Audit (ISAE3402 Type II) for Asset Management Organisation
Channel Islands Asset Management Organisation
Our Client has offices in the Channel Islands and mainland UK and had received requests from both current and potential investors to detail its internal control framework.
This documentation had to take the form of a Service Organisation Control (SOC) report.
Following discussion, it was agreed that the SOC report that provided a best fit for the client’s requirements was an ISAE 3402 Type II report (International Standards for Assurance Engagements No. 3402).
A Type II report describes the service organisation’s controls in addition to detailed testing to determine the operating effectiveness of the service organisation’s controls over a minimum six-month period.
How we helped
We held a workshop with Client stakeholders to discuss the different types of SOC reports and to propose the most appropriate (being ISAE 3402) based on the understanding of the business and its detailed requirements.
We then assisted the Client in documenting its ‘System’ to highlight the processes, policies, procedures and operational activities that supported the core activities relevant to user entities (e.g. their customers) as required in an ISAE 3402 report.
Following the Client attesting to the now completed accurate documentation for its System, we tested specific controls to determine the System’s overall operating effectiveness and documented this in a report, adhering to the requirements of ISAE 3402 reporting standards.
We successfully navigated the Client through the complex matrix of assurance reports explaining the benefits and best fit for different types of organisations.
The provision of the correct type of report and our assistance in clearly documenting the System for the Client, meant that it was able to provide the report to its investors in order to clearly demonstrate the controls in place within the business and, additionally, that those controls had been operating effectively for the previous six-month period. This enabled the Client’s investors to have comfort that there was a robust control framework in place.