As a SaaS provider of core Investment Management solutions in the highly regulated financial industry, we at FA Solutions know it is essential to ensure the services we provide have adequate internal controls.
International Standard on Assurance Engagements 3402 (ISAE 3402) is an international assurance standard widely recognized globally. ISAE 3402 has two types of assurance reporting:
- Type 1 for reporting the design and implementation of an organization’s controls placed in operation at a certain point in time
- Type 2 for reporting the design, implementation, and operating effectiveness of an organization’s controls over a period of time
In 2019, FA decided to initiate a project for ISAE 3402 - type 2 assurance based on discussions with our customers. This was driven by the following underlying demands from our customer base:
- We have financial institutions that want to follow the ISAE 3402 Type 2 standard for their whole service organization and use FA as the strategic solution in their overall services as customers. For these customers to achieve complete assurance for all of their services, FA also needs to provide an ISAE-3402 assurance report.
- Financial institutions operating in regulated markets such as mutual fund operations need to provide assurance to their auditors and the supervisory authorities. ISAE-3402 type 2 assurance reporting is an excellent instrument to provide proper guarantees.
How was it achieved?
To pass an ISAE-3402 type 2 reporting, you need to have excellent processes, access control solutions, and have internal process controls in place. After the initial evaluation, FA selected Deloitte as our partner and Auditor for our ISAE-3402 Assurance reporting. The joint project, which started in February 2020 and completed in January 2021, consisted of the following main sub-projects;
- The assessment of current processes and controls related to Portfolio Management Solution System’s management and operation: the control definitions were done based on key customers’ requirements and with guidance from the Deloitte expert team.
- Selecting and implementing new internal IT systems to automate and better facilitate the required controls within the organization and for our customer’s solutions being hosted with Azure. See the picture below for the FA Access management solution implemented as a part of the project.
- Documenting all processes required to meet the ISAE 3402 standards covering all parts of the organization, including Software Development, Customer Services, Professional Services, IT, HR, and Management.
- Following all implemented controls during the audit period from 15 September to 31 December 2020. This includes fully automated controls using the implemented IT infrastructure and common review controls and conducting awareness training of the whole organization.
- Deloitte audit including testing and verifications during November 2020, final audit and reporting in early January 2021, and delivery of the final ISAE-3402 type 2 report covering the audit period September 15, 2020, through December 31, 2020
FA Solutions passed the Deloitte Audit and Assurance Reporting on January 15, 2021, without any remarks.
The Audit and ISAE-3402 type 2 reporting is now fully implemented in the FA organization with annual audits to benefit our customers. The next report will cover the period 1 January - 31 December 2021 and will be issued to selected customers at the beginning of January 2022.
What does the ISAE3402 - type 2 Assurance Report include?
The report is divided into the following sections:
- Independent Service Auditor’s Report
- Management’s Statements
- Description of FA Solutions’ Portfolio Management Solution
- FA Solution’s Control Objectives and Activities, and Deloitte’s Test of Design, Implementation, and Operating Effectiveness
The report covers controls within the following processes relevant to the FA Portfolio Management Solution:
- Access management
Control Objective: Controls provide reasonable assurance that logical access to the Portfolio Management Solution System is limited to authorized individuals.
- Change Management
Control Objective: Controls provide reasonable assurance that changes to application programs and related data management systems are authorized, tested, documented, approved, and implemented to result in the complete, accurate, and timely processing of business-critical information.
- Backup and Recovery
Control objective: Control objective: Controls provide reasonable assurance that the customer systems are appropriately backed up, and that data and systems can be recovered in a timely and complete manner.
- Data Processing
Control objective: Controls provide reasonable assurance that system processing is executed in a thorough, accurate and timely manner and that problems or errors are identified, recorded, and resolved according to defined processes.