Compliance certification: Why it matters to your business

CTOs must ensure their IT systems are fully compliant with the relevant standards to avoid hefty penalties in the wake of new data regulations.

With outsourcing becoming an increasingly popular way for companies to manage IT and data security systems, it is important any Chief Technology Officer can trust the service they are provided is fully compliant with regulatory standards.

Nowhere is this more true than in the financial services industry, where strict rules and regulations must be adhered to for companies to be licensed to trade. And given the recent scandals surrounding data security in cloud systems and the European Union’s crackdown with its latest General Data Protection Regulations – or GDPR – every CTO must be absolutely sure of their IT systems’ integrity.


It is for this reason internationally recognised auditors, including Ernst & Young and Deloitte, offer assurance certification services, such as the ISAE 3402 and FINMA certificates, inspecting third-party services and the infrastructure behind them to ensure they are sufficiently robust to meet the standards required by law to operate in these sectors.

The purpose of these assurance reports is to provide businesses, and their clients, with an objective report which expresses an opinion about the control environment of a service organisation. The result is an independent and objective opinion about a standardised set of service objectives which are typically tested each year so as to both assess the quality of the infrastructure at any one moment, but also to measure the continuing quality of service over a period in time.


Service reports relevant to Penta include ISAE 3402, ISAE 3000 and FINMA certification. These are all audited by internationally renowned auditing giant Ernst & Young. To achieve the accreditation, Penta has to provide evidence it will:

  • Prepare and present an accurate description of the systems provided
  • Specify the ‘control objectives’, or the goals of the system’s controls – such as to maintain complete control of a client’s data and processes etc
  • Identify the risks to achieving these control objectives
  • Design, implement and maintain controls to meet these set objectives

For businesses looking to outsource their data services provision, choosing a partner which is accredited to these standards ensures their systems will be benchmarked against the highest international regulatory requirements. And for Penta, it means its staff can stay focused on delivering the best quality service, while Ernst & Young take on the task of monitoring, assessing and reporting on the systems’ integrity.


Jonathan Da Dalto, Delivery Manager at Penta, says the company goes above and beyond the call of duty to ensure maximum compliance and peace of mind for clients:

Penta is audited on ISAE 3000 standard (ref. FINMA 08/7 circular) to guarantee it can provide services with the very highest requirements.

“Additionally, all Penta’s services are audited to ISAE 3402 standards, providing plenty of security for our many clients in the financial services industry and we have never had to perform additional controls or audits in order to meet our client requirements.”


Certifying your systems

Penta’s compliance record
 Meeting international standards for your business

What ISAE 3042 certification takes
 How Penta must prove its systems’ integrity
 Ernst & Young

Related Posts