ISAE 3402 and Outsourcing

Organizations increasingly outsource non-core business processes to service organizations. The service may be outsourced to Software-as-a-Service (SaaS) providers, asset managers or property management organizations. In outsourcing situations many questions may arise, including: Are services executed in a controlled manner? How is security dealt with? Who has access to the information? Are sufficient anti-fraud measures present? ISAE 3402 provides a solution for these issues.

a practical example. A CRM application is provided by a Software-as-a-Service (SaaS) provider. The providers hosts the applications in a data center of a hosting provider. Within this chain of organizations questions of physical security (who can enter the premises of the data center), internal control (are sufficient separations of duty present) and quality of execution of processes (how large is the risk of power failure for my application) might arise. Questions of data integrity might also arise: Is data is properly stored and are backup and recovery procedures in place? Are disaster recovery measures in place and periodically tested? Has the organization an awareness of the risk of fraud? Financial institutions might also have a legal obligation to understand outsourcing risks. These legal requirements are described, for instance, in the Alternative Investment Fund Managers Directive (AIFMD), Basel III, and the Solvency II guidelines.

The ISAE3402 standard

The International Standards for Assurance Engagements, No. 3402, is an internationally recognized auditing standard issued by the International Auditing and Assurance Standards Board (IAASB). A service organization’s auditor’s examination performed in accordance with ISAE No. 3402 (“ISAE 3402 Audit”) is widely accepted, because it represents an in-depth audit of a service organization’s control objectives and activities. These activities often include controls over information technology and related processes. The scope of the external auditor’s examination includes both those classes of transactions in the service organization’s operations that are significant to the organization’s financial statements and processes that are specifically defined by the service organization.

ISAE3402 and the financial audit

ISAE 3402 reports are increasingly requested by audit firms to increase the effectiveness of annual audits. The auditor of the financial statements of the user organization should have insight and audit outsourced processes. Processes executed by a service organization for a user organization might have an impact on operational processes which affect the financial statements of the user organization. Each service organization can engage their own audit firm to perform audit procedures. This implies that service organizations will be visited by numerous audit firms. An ISAE3402 report prevents this and provides audit firms insight into the relevant risks, how these risk are controlled, and an official assurance report on the operating effectiveness of the entire framework.

ISAE No. 3402 is generally applicable if an independent auditor (“user auditor”) is planning the financial statement audit of an user organization that obtains services from other organizations (“service organization”). The report will be audited by a ISAE 3402 auditor (specialized service auditor. The service auditor reports to the independent auditor in accordance to ISAE 3402 on the operating effectives of procedures and controls, relevant for annual reporting.

Outsourcing assurance

Applications are increasingly offered as cloud services by SaaS providers. Consequently the demand for ISAE 3402 and the control of processes has increased significantly. Aspects such as data protection, fraud prevention, and protection of personal information have the special interest of both user organizations and supervisory bodies. Until 2008, ISAE 3402 reports were mainly used in the asset management and pension administration industry. Demand for ISAE3402 has grown in the entire financial market, from real estate management to hosting providers and credit management institutions. The European Corporate Governance Institution has several partnerships with associations in different industries to maintain the quality of ISAE 3402 reports.

Content ISAE3402 report

ISAE 3402 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the IAASB’s standards for fieldwork, quality control, and reporting (ISAE 3000). There are no detailed prescriptive guidelines for an ISAE 3402 report. In the ISAE 3402 standard the testing procedures are prescribed, and the scope of the report should include all processes that affect the financial statements. In daily practice, best practices have been developed by service organizations and the big four audit firms. An ISAE3402 report usually consist of a “general part,” which includes a description of the organization, the risk management framework, and an overview of the entire internal control framework. A control matrix is included in the report. In this matrix, a detailed description of management objectives, controls, and the test results of the external auditor are presented. More information about the contents of an ISAE3402 report and the consequences for an organization can be found here (ISAE3402 implementation). A service auditor may issue two types of reports: an ISAE 3402 Type I report or an ISAE 3402 Type II report.

ISAE 3402 | Type I report

An ISAE 3402 Type I report includes an opinion of an external auditor on the controls in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place.

ISAE 3402 | Type II report

The examination performed by the external auditor for an ISAE 3402 Type II report differs from an ISAE 3402 Type I examination. In a Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls during a predefined period. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with predefined processes and controls.