How KBC Securities Services Safeguards Control and Trust Through ISAE 3402
For nine years now, KBC Securities Services’ internal processes have been independently audited under the ISAE 3402 standard, confirming the safety of our procedures. But as Vanessa Deschamps, Policy Advisor Risk, explains, compliance is far more than an annual check: accountability is embedded in KBC’s DNA.
Vanessa, what is ISAE 3402 and what does it cover?
“ISAE 3402 helps us show that our processes are robust and under control. It looks at the main risks in our business and at the checks we have in place to manage them. Just as importantly, it helps us prove that those checks are actually being carried out in practice.
At KBC Securities Services, we deliberately apply that framework broadly. While companies can choose to have only a limited set of controls reviewed, we include a wide range of critical activities, such as brokerage, settlement, custody, customer support, tax-related processes and key IT controls. That gives clients a much clearer view of how we manage risk across our operations.”
“We deliberately apply the ISAE 3402 framework broadly so clients have a much clearer view of how we manage risk.”
Vanessa Deschamps, Policy Advisor Risk
How does the ISAE 3402 process work in practice?
“We start with an overview file that defines all risks and controls, including how they can be evidenced. That file is the starting point for our external auditor, EY, who independently reviews whether the controls are working as they should. For each control, the auditors select specific cases, such as processed reports or transactions, and ask us to provide evidence that the control was carried out correctly.
That evidence can take different forms: emails confirming that a report was sent, screenshots from systems showing that a process was executed, or documents demonstrating that a specific action took place. Collecting all of that evidence requires close coordination across the organisation . More than fifty people within our department contribute to the process. So it really is a collective effort, with continuous interaction between our teams and the auditors.
The workload for the teams involved in the SOC is significant, which is why we organise the process in several waves throughout the year. The SOC cycle starts in June and runs through to January of the following year, with the report typically signed on the last working day of January. My role is to coordinate that overall process.”
Why does this matter to clients?
“Our clients outsource critical processes to us, but they still remain accountable towards their regulators. That means they need to be confident that those processes are being handled in a controlled and reliable way. ISAE 3402 provides that confidence. It gives clients independent proof that our controls are in place and working as they should.
For BPO clients in particular, this is essential. They rely on us to process activities that are critical to their business, but that their own customers never see. The ISAE 3402 report reassures them that these processes are well managed and under control. It can also significantly reduce the amount of additional audit work they need to do themselves.”
Do clients receive a copy of the ISAE 3402 report?
“Our BPO clients receive the full report. It is a detailed document that gives them a clear view of the controls in place, the testing that was done and the findings. That transparency is important. Clients want to understand how their outsourced processes are being controlled, and the report helps them do that.
At the same time, we handle that information with care. The report contains sensitive business information, so we are very mindful of how it is shared. But for the clients who rely on these services, it is an important tool to support their own governance and reporting.”
“Over time, ISAE 3402 has become embedded in how we think about risk and control across our organisation.”
Vanessa Deschamps, Risk Policy Advisor
How do you see ISAE 3402 evolve in the future?
“One of the biggest lessons is that the framework has to evolve with the business. Processes change, systems change and new services are added. So we have to make sure that what is written down still matches the way we actually work. If that is no longer the case, it creates friction during the audit. Even if the process itself is still under control, it becomes harder to prove that in the right way.
ISAE 3402 is very much a team effort and involves many people across the organisation. Over time, it has become part of the way we work and something we have built real expertise in. It is also increasingly embedded in how we think about risk and control in a company that is very aware of its importance.”
“For our clients, ISAE 3402 brings reassurance, transparency and less need for additional audit work of their own.”
Vanessa Deschamps, Risk Policy Advisor
