Privacy audits

In cooperation with our professional association NOREA and NIVRA the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) established the Privacy Audit Framework for conducting a privacy audit in an organization by a qualified auditor. The Framework is based on nine clusters. The result of a privacy audit, gives the management of an organization a high degree of certainty how the protection of personal data in the organization is ensured.

On the base of a positive opinion from a s-called privacy auditor, the organization responsible – under certain conditions – is authorized to use the logo or mark “Privacy-audit-proof”. This assessment of the privacy audit is based on Directive 3600 “Assurance engagements relating to the Protection of Personal Data (Privacy audits). The purpose of this directive is to establish principles and guidance for the implementation of assurance services in this area. It is a response to the increasing demand from the market to a third independent assessment of the system of measures and procedures of an organization regarding the protection of personal data.

The privacy protection in the Netherlands is since 2001 governed by the Personal Data Protection Act (WBP). Virtually every organization in the Netherlands has to do with this law. To assist organizations in determining how it complies with the WBP, in consultation with the NIVRA and NOREA, Project Development audit products Privacy Protection Act (WBP) started. This has led to four products that are usefull to determine how an organization complies with the WBP. In addition, through an external assessment and certification can be made. It can be implemented by a Registry EDP auditor (RE) or Chartered Accountants (RA) who have sufficient knowledge and expertise on the WBP and the information technology resources to the assessment under the Directive to be implemented.

Source: website https: / / an initiative of the NOREA and NIVRA, together with the Dutch Data Protection Authority.


The possession of a certification applies increasingly as a condition for doing business in general or the exchange of information in particular. We are qualified to support the most common certification paths.

Audit courses

Training is a job on itself. Auditing is also a special subject. We have both qualities and can therefore make a perfect relationship between theory and practice.

We provide courses for internal and external auditors, but also for managers as contact with the auditors. We facilitate both courses for which students may register individually, as customized training.


For individual students, we organize several times a year a training IT audit fundamentals. During this training the students learn the essentials of IT Audit and operation of the various components of IT Governance. After participating in the training the student can independently perform a simple IT Audit and knows when an EDP Audit must be deployed. The topics are supported by practical case studies for immediate implementation in your organization. After the training you receive one case, up to the theoretical base that you have built up during the training to fit into your practice. This case is used as a base for 3th day session. The cusus consists of 2 or 3 days (during the 3rd day the case is discussed and a number of subjects submitted by the students are further discussed).

Download our general education brochure IT audit fundamentals.


Because every company is different Duijnborgh Audit offers customized courses. These courses are specifically designed for your company as a maximum return from the training target. For example, the specific use of administrative organization, internal control procedures and businesses are included in the development of training and education. By applying a customized training, the students will better recognize everyday practice. This increases the effectiveness because the participant subjects from the training directly can apply the knowledge in daily practice. Our customized courses, can be provided both in-company and at an outdoor location. The customized courses are always developed and defined in consultation with the client. This allows clients to ad important to the curriculum.

For more information please contact us for an appointment.

Software package selection

Package selection is not an end in itself. Package selection is often part of a change or improvement. Our approach consists of a package selection for research, compiling a long list and a short guide us to the choice of the package. Our advice is completely independent because we in no way bound to suppliers.

Assisting the financial auditor

More and more financial auditors are confronted with IT related issues. Sarbanes Oxlex, SAS70 and IT governance; it is difficult to envisage the audit of the financial statement without looking at IT, too. Not all audit firms can dispose of a dedicated IT audit function. Furthermore, the financial auditor often lacks the specific knowledge on IT environments. To these audit firms we provide our (IT audit) services whilst maintaining a strict division of tasks.

Our services to accounting firms include a full-service concept with which we whole-field IT Audit cover!


1. IT audits are a crucial part of the control process. Depending on the degree of (financial) processes that rely on automation, the financial auditor must decide whether he has sufficient proof data obtained by him is correct and complete.
2. Since the introduction of the WTA, the “atmosphere of permissiveness” wether IT audit is a mandatory part of the financial audit or not, is history.
3. More and more customers of finacial accountants request (or rather demand) a thorough audit of the IT environment. And when it Is not the customer, then it is one of its customers or suppliers that demands assurance on how IT processes are controlled. In the last Quarter dozens of accounancy firms (especially the smaller ones) loses customers to larger firms who do structural apply the IT audit role.
4. An IT auditor delivers his money twice over: a technology audit, the number of tests, samples and other (context) controls can significantly reduce the activities of the financial accountant.
5. Accountants that offer an integrated audit approach, including IT audit, are proven more successful than their counterparts who do not. Smaller audit firms, however, are not able to fit the IT audit in their company. IT audit is a broad field of objects, which is not easy to cover with a small IT audit department. as they say: “1 auditor is equal to no auditor”.


1. The core business of Audit Duijn Borgh BV is primarily IT audit and related activities. Our services are therefore in principle not competitive with the services of th financial auditor.
2. Our Senior auditors are registred EDP-Auditors (RE) and also we can (for international customers) provide auditors that have the CISA certification.
3. We have multiple IT auditors each having a specific expertise required. So we cover almost the entire IT field and can have an opinion on it.
4. We are very flexible: in most cases we can honor your request within a few days to fill the IT audit roll. Small “jobs” do not scare us off.. Our IT audit service is therefore within reach of all audit firms, from very small to (medium) wide.
5. And finally: Our rates are highly competitive!

Information Security

Information security is an apparently simple subject with clear rules. From the fact that there are almost daily incidents in the news, must be concluded that the subject is more complex than it looks. We use the premise that information security is a business issue in which ICT is a part.

The reliability of the information is an important quality aspect of organizations. Laws and regulations in the framework of Governance (VIR, Tobacco Blatt, SOX, etc.) also require attention to information security.

Information Security and Audit: The auditors will assess the adequacy of the information security policy and provide advice in the preparation of risk management. The outcome of an information security audit is the understanding of the effectiveness and progress of the information in an organization. Often such an audit is used to define the starting point for the improvement.

Security information and advice: Our consultants (information security specialists) help organizations to define and organize the security management process. We also provide on an ad interim base security officers, information officers, etc. to the government and profit organizations.

With our years of experience in this area we know very well the pitfalls that are apparently inherent to this subject.

Continuity Management

Through extensive experience we have developed a practical but above all pragmatic method to manage the continuity of your organization.

At this website you can download a free of charge Quickscan which you can easily use to determine the extent to which your organization depends on IT.

Duijnborgh Audit has developed a number of instruments that can be used to determine how organization is able to start again after a disaster. The methodology is built according to our developed model CEM (CEM stands for Continuity Efficiency Measurement).

The CEM-model defines the risks when a failure of ICT in enterprises occure, which are bottlenecks and, most importantly, what measures can (should) be to reduce the risks to hedge,

In the process a number of showstoppers are in place, to prevent more activity than is absolutely necessary to determine whether action is needed, if any. The methodology is very suitable for medium-sized enterprises.

The steps in a Continuity Efficiency Measurement

CEM Quickscan
CEM Self
CEM Audit
By sending us a e-mail , you can request for the Quickscan applications. We send you the Quickscan free of charge.
Download the Acrobat Reader Icon brochure, or contact us if you want more information.

Risk analyses

In some cases it is necessary to determine the dependency and vulnerability of the organization through a risk analysis. We both have extensive experience with analytical methods such as Cramm and ACIB, as well as methodologies to define in an effective and efficient way and also in a short time, the risks of your organization.


With our pre-audits we are the link between organizations and the certifying authority. We speak your language as both the certifying auditor.
Organizations that wish to certify at certain standard, eg BS 27001 (Information Security), BS 7510/11/12 (Information in care) or BS 20000 (Service Management), we can support this service.

How does a pre-audit work?

We have specialists with extensive experience in certification programs. We can provide the following:

– we process the full certification file for formal certification Party;
– we establish the necessary formal proceeding, manuals, etc.;
– we assist in the preparation of the (interim) reports for the certification body; What are the advantages of a pre-audit?

The certification path can be completed much faster because you do not have to event it al by yourself.
– You have prepared a full certification file;
– You realize a counterweight to the certifying authority;
– You have a fixed point with short lines of communication;
– You will save considerably on costs.

Social Audit

We use the term Social Audit instead of the usual term Social Engineering. The research is based on the ‘traditional’ audit method, which means that the customer is assured of an expert, independent and responsible way of research.

Social Audit can be used to ensure the quality of information to measure. Social audit can roughly two techniques are performed (both individually and in combination):

as a technique whereby a computer cracker attack on a computer trying to take over users of the systems;
as a form of influence on social behavior and attitudes.