The scope

Required scope of the ISAE 3402 report

The required scope are all controls that are likely to be relevant for an user entity as it relates to financial reporting. This implies that non-financial processes and controls should be excluded from the ISAE 3402-scope principally.

Controls that only affect the user entities production or quality controls should be excluded from the scope.

Example scope

This brings some specific issues; how should one treat the SLA agreements for a hosting- or ASP-provider? Strictly theoretical these should be excluded from the scope since these refer to the quality provided by the hosting provider and not to financial processes.

If these specific SLA agreements refer to downtime or problem management, these processes could indirectly have a material impact on financial reportings. An auditor should always make a specific assessment of processes will directly or indirectly have an effect on reporting processes at the user organization.