Skip to the content

ISAE3402 for IT service organizations

ISAE3402 audit

More and more applications are offered as Cloud Services or through a Software AS-a-Service (SaaS) provider. As a service provider, you are likely to regularly ask your customers whether you have all your internal control measures in order. In this context, facets such as data protection, fraud prevention and protection of personal data are the focus and the insight of organizations in security measures is often limited. In order to prevent all your customers from doing an IT audit with you, you can make an ISAE3402 statement, demonstrating that you have your data security well arranged, known as an assurance statement.

ISAE3402 report

2-Control can provide you with an assurance statement, including in the field of ISAE3402. An ISAE 3402 reporting focuses on the internal control measures related to the processing of financial transactions with a service organization. The reporting is conducted in accordance with the ISAE 3402 audit standard, which stands for International Standard on Assurance Engagements.

This assurance report refers to the internal control objectives and internal control measures prepared by a service organization that are essential to financial reporting.

Based on the ISAE 3402 standard, a report must contain the following components:

  • Claim of the management
  • Description of the system
  • Identification of internal control objectives
  • Internal control measures


Do you have a question? Get in touch with one of our IT audit professionals. We are pleased to help you.