Example ISAE 3402

ISAE 3402 is a standard for reporting on internal control of outsourcing to a service organisation by a user organisation. With the explosive growth of outsourcing, the demand for control of outsourcing has increased. An ISAE 3402 report contains general information about the firm, preferably described in a manner consistent with COSO standards, and often a control matrix.

What does this mean in practice?

Example: A pension fund outsources its asset management. Because the fund is supervised by the Dutch National Bank, it is required to demonstrate that this outsource activity is controlled. This can be done through the asset management organization writing a report that describes how the outsourced activities are controlled. A report like this has a Service Organization Control Report, which has different standards: ISAE 3402, SSAE16 (US) en AAF 01/06 (UK). The Dutch translation of the ISAE 3402 standard of the International Federation of Accountants is Standaard 3402.

A Service Organization Control report is checked by the service auditor. When the user auditor checks the annual accounts of the pension fund, he uses the ISAE 3402 report to establish whether the outsourced activities lead to the right and complete processing in the annual accounts of the pension fund. An auditor can provide a type I or a type II declaration with an ISAE 3402 report. In a type I report, only the existence of the control framework at a certain moment is described. In a type II report, both the existence and the operations of the control framework are described over a period of at least six months.