Technology Risk

IT Audit

The execution of high-quality information technology (IT) audit procedures, including understanding the effect of technology at business and IT-process levels, in support of a financial statement audit and an audit of internal control over financial reporting creates the foundation of our commitment to protecting investors and promoting trust in the capital markets.

EY Professionals serve the public interest by executing high-quality audit procedures with independence, integrity, objectivity and professional skepticism. In doing so, they help to support sustainable, long-term value creation.

EY multidisciplinary teams with subject-matter knowledge to address the most complex issues use a proven global audit methodology, our global auditing tools and the latest insights to deliver a consistent level of service worldwide.

EY professionals provide insights, candid observations and permitted services that lead to improved understanding of business risks arising from the use and implementation of technology and informed decision-making.

IT Audit services include:

• Integrated audit
• Financial statement audit
• Statutory audit

Service Organization Control Reporting and Attestation

The Service Organization Control Reporting (SOCR) services enable entities to provide trusted communications focused on internal controls to customers (and their external auditors), investors, management, regulators and other stakeholders. These services efficiently address service organizations’ customer needs for trusted risk-based information.

• SOC 1 helps entities (service organizations) that operate information systems and provide business process services supporting financial reporting, build trust and confidence in their delivery processes and controls through a report they can deliver to their customers and customers’ external auditors.
• SOC 2/3 help entities meet the needs of a broad range of users that require information and assurance about the controls at the entity that affect the security, privacy, confidentiality, availability and processing integrity of entity’s systems.
• SOC for Cyber helps entities meet the needs of a broad range of users that require information and assurance about an entity's enterprise-wide cybersecurity risk management program.
• SOC for Supply Chain helps entities meet the needs of stakeholders that require information and assurance about an entity's system and controls for producing, manufacturing, or distributing goods to better understand the risks in their supply chains.

EY teams also provide pre-assessment services for a draft subject matter such as a system description prior to the performance of a limited or a reasonable assurance engagement (e.g., SOC report).

Agreed Upon Procedures (AUP) services help entities communicate independent results of controls testing or other procedures agreed upon between the entity and third-party recipients of the report. AUP engagements allow entities to communicate independent factual findings on control testing or other procedures to third-party recipients of the AUP report. EY teams present and report on a set of procedures that entities and the specified third party report users agree to, and the related findings resulting from the procedures.

ISAE 3000 reports on audit-related procedures that the auditor, entity and any appropriate third parties have agreed to (related to nonfinancial information):

• ISAE 3000 control testing – the capability to perform the procedures and control testing, leading to an assurance report (in accordance with the ISAE 3000 standard)
• ISAE 3000 implementation support and training – the capability to provide training on the execution of procedures, leading to an assurance report (in accordance with the ISAE 3000 standard)

ISO Management System Certification, Implementation and Training

The ISO Management System Certification, Implementation and Training services provide implementation and certification of a management system according to ISO standards and other established certification frameworks.

EY CertifyPoint B.V., an EY entity founded in 2002, is an accredited, independent, and impartial certification institute headquartered in the Netherlands. Through EY CertifyPoint, EY teams provide Lead Implementer and Lead Auditor courses, including certification of entity personnel for several ISO standards.

EY teams support entities in meeting their goals by improving the efficiency and effectiveness of their management systems. EY teams keep the business at the center, identifying areas of redundancy, bottlenecks and potential efficiency gains by means of a systematic and independent certification approach against a globally recognized standard.

The following standards are addressed:

• ISO 9001: Quality Management System
• ISO 14001: Environment Management System
• ISO/IEC 20000-1: IT Service Management System
• ISO 22301: Business Continuity Management System
• ISO/IEC 27001: Information Security Management System
• ISO/IEC 27017: Cloud Security Controls
• ISO/IEC 27018: Protection of Personally Identifiable Information in Cloud
• ISO/IEC 27701: Privacy Information Management System
• ISO 37001: Anti Bribery Management System
• ISO/IEC 42001: Artificial Intelligence Management System
• ISO 45001: Occupational Health and Safety Management System
• ISO 50001: Energy Management
• World Lottery Association (WLA) assessments
• CSA STAR certification
• NEN 7510-1: Health Information Security Management System
• Hébergeur de Données de Santé (HDS)
• Multi-Tier Cloud Security (MTCS - Singapore)
• GDPR assessment
• CISPE Code of Conduct accredited monitoring body
• Integrated approach with ISAE3402, SOC and other attestation reports, such as a combination of ISO/IEC 27001:2013 with ISAE3402

System and process assessments

A system and process assessment includes an assessment of internal control as part of an upgrade or an implementation of an ERP (e.g., SAP S/4HANA), an application or a process. These services provide an independent assessment of an entity’s current state or a documented future state internal control to provide leading practice recommendations for management’s consideration. A system or a process upgrade or an implementation assessment helps the entity to:

• Obtain confidence that internal control considerations are adequately addressed.
• Understand complex business processes.
• Identify new risks and control gaps introduced by changes to process or technology and remediation recommendations based on leading practices.
• Enable the entity to take advantage of new capabilities that allow better leverage of investment in new process or technology, including opportunities for process automation and improvement, and GRC. integration, reporting and continuous control monitoring.

A pre-assessment of a draft subject matter such as a system description prior to the performance of a limited or a reasonable assurance engagement (e.g., SOC report), helps the entity to:

• Understand how to apply the evaluation criteria to the subject matter 
• Understand the disclosure requirements for the subject matter information (e.g., management’s description for a SOC report)
• Understand procedures performed to assess the subject matter information and/or controls

IT Compliance and Regulatory Assurance

IT Compliance and Regulatory Assurance services help entities understand, prepare for, and report to address rapidly evolving laws, regulations and professional standards. These services help an entity more sustainably and efficiently address regulatory and sector-specific (e.g., Government, Healthcare, Financial Services) technology compliance requirements. Examples include helping entities comply with requirements related to:

• AI regulations (e.g., AI Act)
• Cyber security (e.g., Cyber Resilience Act, Cybersecurity Maturity Model Certification, Network and Information Security (NIS2) Directive)
• Data security (e.g., Data Act)
• Digital resilience (e.g., Digital Services Act, Digital Markets Act, Digital Operational Resilience Act)
• Sector-specific requirements (e.g., HITRUST, SWIFT, TISAX)
• Data and IT controls in ESG reporting