We define Information Assurance as the use of information operations that protect and defend information and information systems and networks by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation, considering risk impacts due to local or remote threats from communications and Internet.

There is a broad range of assurance engagements, which includes any combination of the following:

• Engagements to report on a broad range of subject matters covering financial and non-financial information.
• Attest and direct reporting engagements.
• Engagements to report internally and externally.
• Engagements in the private and public sector.

An assurance engagement usually exhibits the following elements:

a. A three party relationship involving:
    a.i An acting professional;
     a.ii A responsible party; and
     a.iii An intended user.
b. A subject matter;
c. Suitable criteria;
d. An engagement process; and
e. A conclusion.

a.i – The acting professional provides assurance to the intended user about a subject matter that is the responsibility of another party. The professional has to observe a Code of Ethics and the principles of integrity, objectivity, professional competence and due care, confidentiality, professional behavior and application of technical standards.

a.ii – The responsible party and the intended user will often be from separate organizations but need not be. A responsible party and an intended user may both be within the same organization, for example, a governing body may seek assurance about information provided by a component of that organization. Therefore the relationship between the responsible party and the intended user needs to be viewed within the context of a specific engagement and may supersede more traditionally defined responsibility lines.

a.iii – The intended user is the person or class of persons for whom the acting professional prepares the report for a specific use or purpose. Some intended users (for example, bankers and regulators) may impose a requirement on, or may request the responsible party to arrange for an assurance engagement to be carried out on a particular subject matter.

b. Subject Matter: The subject matter of an assurance engagement may take many forms, such as the following:

• Data (for example, historical or prospective financial information, statistical information, performance indicators).
• Systems and processes (for example internal controls).
• Behavior (for example, corporate governance, compliance with regulation, human resource practices).

The subject matter may be presented at a point in time or covering a period of time. The subject matter of an assurance engagement is to be identifiable, capable of consistent evaluation or measurement against suitable criteria and in a form that can be subjected to procedures for gathering evidence to support that evaluation or measurement.

c. Criteria: Criteria are the standards or benchmarks used to evaluate or measure the subject matter of an assurance engagement. Suitable criteria are context-sensitive, that is, relevant to the engagement circumstances. For example, when reporting on internal control, the criteria may be an established internal control framework or stated internal control criteria, but when reporting on compliance, the criteria may be the applicable law, regulation or contract.

d. Engagement Process: The engagement process for an assurance engagement is a systematic methodology requiring a specialized knowledge and skill base, and techniques for evidence gathering and evaluation and measurement to support a conclusion, irrespective of the nature of the engagement subject matter.

e. Conclusion: Finally the acting professional expresses a conclusion that provides a level of assurance as to whether the subject matter conforms in all material respects with the identified suitable criteria.

Datasec undertakes Assurance Engagements based on consulting tasks, training and software tools.

Training

• IT Auditing based on COBIT.
• ACL software usage as a Data Analysis tool.
• COSO Report Application Course.

Consulting
Provided by certified professionals:

• CPA
• CISA
• CISSP
• CISM

Software Tools

• Meycor COBIT CSA
• Meycor COBIT AG
• Meycor COSO AG
• ACL