Skip to main content

ISAE 3402

Organizations increasingly outsource non-core business processes to service organizations. A Service Organization Control (SOC) report in compliance with ISAE 3402 provides assurance over outsourcing. The ISAE 3402 standard is originated due to growing demand for control over outsourced activities. The outsourced services can be Software-As-A-Service (SaaS) providers, asset managers, data centers or property managers. Please find to FAQ and further detailed information on ISAE 3402 | SOC1

 

Essentialy the requirements are 'free format', however the governing criteria of an ISAE 3402 | SOC1 report are the financial reporting process of your customers. 

 

Generally this implies that the General Computer Controls (General IT Controls) are included in the report and all controls focussed at financial reporting processes, this might also include operational or production processes.

The ISAE 3402 requirements are liimited to general framework requirements only, however general practices for SOC reporting have many different best practices. If an organization does not comply to these best practices, the ISAE 3402 | SOC1 report might be perceived as SOC1 report of lesser quality.

 

Generally an organization needs to describe the relevant processes, the risk management framework and a detailled control matrix. In the detailled control matrix control objectives, control descriptions are inlcluded. 

 

The ISAE 3402 | SOC1 implementation is best described in accordance with international standards for accountants and specific accountants'jargon.

 

After the description all procedures and controls need to be in place. This requires uniformity in working procedures, management of the process and discpline of the organization to comply with these procedures.

This depends on the scale of the operation and the organization. If an organization uses control reports, the costs for a license are EUR 3.090. With a ControlReports license all the implementation procedures have to be performed by the organization.

 

The ControlReports license includes the Risklane best practice for risk management framework which is based on more than 25 years of in-depth experience with implementing control frameworks. If internal control knowledge is 'inhouse' no further costs will incure. 

 

For a typical IT client with 50-250 employees additional consultants are hired for approximatly 3-5 days. The average costs for a consultant differ from EUR 125-350. 

 

If an organization decides to hire our consultants to implement the full process, the approximate resources required from 80 days to 120 days for a typical IT services (SaaS or managemed services) client. As mentioned above, the resources required differ per industry, size of the organization, complexity and the impact of financial and opertional processes a part from the General Computer Controls.

Generally, yes. Although this is based on the specific requirements of your customer.

Supervisory authorities of financial institutions require institutions such as banks, pension funds and insurers to have control over outsourced processes to service organisations. Laws and regulations require these instititutions to acquire this information of their service organizations by means of a SOC report in compliance with ISAE 3402; the international standard for assurance over outsourcing. ISAE 3402 is the international successor of the US SAS70 standard since 2011. In the US, the SAS70 standard was replaced by SSAE 18 (SOC1) in 2011. By providing assurance on outsourced processes via an ISAE 3402 / SOC 1 report, insight is provided in the effectiveness of the execution of services, the security controls surrounding these services and the presence of sufficient anti-fraud measures. 

 

ISAE 3402

Outsourced services requires that information from a service organization is acquired to assess and address the risks associated with outsourced services. Service Organization Control (SOC) reports are internal control reports that provide this information. ISAE 3402 is the international standard for assurance on SOC reports. An ISAE 3402 typically includes the risk management framework, a description of controls and an assurance (audit) opinion of an independant auditor.

ISAE 3402 and outsourcing
 

Industries

ISAE 3402 is relevant for organizations providing services to other organizations, e.g. Asset Managers, Pension Service Providers, Software As A Service (SaaS)-providers, Infrastructure As A Service (IaaS)-providers, Platform As A Service (PaaS)-providers and Datacenter (Service) providers. ISAE 3402 is relevant if outsourced processes are related to financial processes. If processes relate to General IT Controls (GITC's) a SOC 2 (ISAE 3000) might be more relevant.

Service providers

ISAE 3402 is an internationally recognized auditing standard issued by the International Auditing and Assurance Standards Board (IAASB). A Service organization’s auditor's examination performed in accordance with ISAE 3402 is widely recognized, because it represents an in-depth audit of a service organization’s control objectives and control activities, which often include controls over information technology and related processes. For service organizations this improves their ability to perform outsourcing services to corporates and these corporates are more likely to trust the services provided. The scope of the examination of the external auditor includes the classes of transactions in the service organization’s operations that are significant to the user organization’s financial statements, and processes that are specifically defined by the service organization. 

Yearly cycle

Audit process

ISAE 3402 audit process

ISAE 3402 assurance report

ISAE 3402 is applicable when an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization"). A SOC1 repport ("ISAE 3402 report") allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of the auditt. ISAE 3402 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the IAASB’s standards for fieldwork, quality control, and reporting. In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach for the audit of financial statements and generally implies that the auditor doesn't perform an seperate audit on outsourced processes. A service auditor may issue two types of reports; an ISAE 3402 Type I report or an ISAE 3402 Type II report.

ISAE 3402 type I

An ISAE 3402 Type I report includes an opinion of an external auditor on the controls placed in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place. A Type I audit opinion is not sufficient for an user auditor to perform less audit procedures on outsourced services.

ISAE 3402 type II

In an ISAE 3402 Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls in a predefined period. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with the predefined processes and controls.

Risklane and ISAE 3402

Risklane is established in 2004 and advices and supports a significant number of European datacenters, SaaS providers, managed service providers, property managers and institutional investors. Organizations will experience the benefits of our in depth experience, our pragmatic- and professional approach for implementing compliance standards. Risklane prepares all ISAE 3402 reports in compliance with industry specific best practices and generally accepted compliance frameworks, sush as COSO 2013 and COBiT 5.0. These are considered as the most advanced- and professional standards in the industry and will support your customers to trust your organization.