What is ISAE 3402?
An ISAE 3402 statement is an independent assessment by a certified IT auditor of the quality of (financial) processes that have been outsourced to a third party. Organizations increasingly outsource non-core processes to service organisations (outsourcing), as a result of which the quality and control of these outsourced processes become dependent on those service organizations.
Due to higher requirements in legislation and regulations and the need to be able to demonstrate internal control, the demand for more certainty about the quality and control of outsourced services is increasing. Financial institutions, listed organizations and professional companies therefore often ask the service organization for an ISAE 3402 statement.
ISAE 3402 is the internationally recognised assurance standard for outsourcing. With an ISAE 3402 report, you as a service organization can demonstrate that the processes that have been outsourced to you are carried out reliably and that the information is sufficiently secure.
Our ISAE 3402 audit support
2-Control consists of an enthusiastic team of registered IT auditors who can help you with an ISAE 3402 statement in the short term. We have many years of experience in successfully implementing and assessing ISAE 3402 projects at service organizations. Since an ISAE 3402 report is often also related to the processes of the annual accounts, it is of great added value that our REs have knowledge of both financial processes and IT processes.
Advantages of ISAE 3402
- You meet international requirements that are recognisable for both national and international clients.
- Many tenders require compliance with the ISAE 3402 standard. For example, by accountants of user organizations. The outsourced processes often have an impact on financial and operational processes that affect the financial statements of the user organization.
- The quality of outsourced processes is guaranteed to your customers.
- You receive confirmatin from an external party that your organization is well managed.
- The accountant of an user organization can rely on this report for his financial statement.
- An ISAE 3402 report will satisfy in many cases the user auditor’s requirements.
ISAE 3402 approach of 2-Control
- Baseline measurement:
a. Alignment of scope;
b. Alignment of standards.
- Assessment of description and set-up of management measures (SOC 2 type 1)
a. Verifying accurate picture of the description of the system;
b. Determining the set-up of control measures through interviews, studying documentation and measures, observation, testing and sampling;
c. Comparing reality with standards;
d. Quality assessment and reporting on description and set-up.
- Assessment of the effective functioning of management measures (SOC 2 type 2)
a. Periodic determination of the operation of control measures by means of interviews, observation, testing and sampling;
b. Comparing reality with standards;
c. Quality assessment and reporting.
Differences SOC 2 and ISAE 3402
- ISAE 3402 is mainly used to provide an opinion on processes that have an impact on financial reporting. This includes outsourcing administration, credit management, asset management, real estate management, payroll & HR services and pension administration. SOC 2 is used by IT service organizations to give customers confidence about security, availability, processing integrity, confidentiality and/or privacy.
- For readers of an SOC 2 assurance report it is immediately clear on the basis of which criteria this trust is given, because the auditor must use the so-called prescribed Trust Service Criteria as the assessment framework. Readers of an ISAE 3402 assurance report can only determine on the basis of the details of the report on the basis of which criteria trust is given. The assessment criteria for ISAE 3402 are free of form.
In the end, however, the question of the client (the user organization) is often decisive for which report is chosen. What does the client ask and what does the client want certainty about and for what purpose? An assurance report is never an obligation, but can lead to more effective cooperation and more trust between supplier and customer.