Skip to main content
For a ISAE3402 certification a Service Organization Control report is required. This report should be audited by an external auditor. The auditor issues an assurance report with the SOC. This report should be prepared in accordance with the ISAE3402 guidelines. Alle controls are required to be included and should be auditable. Generally this requires more registration of controls
As a consequence of the increased outsourcing. Many organizations focus on core activities and outsource non-core processes. As a consequence of decreased trust among parties the demand for control over outsourcing increases.
An ISAE3402-report will be audited by an external auditor. The reporting should be prepared in accordance with audit regulations. If the responsible co-workers have an audit background this will improve the process of preparation. Specialized organizations can assist you with preparation of the report and manage the audit proces.
If processes are insourced by your enterprise and these process will have a material impact on the annual report of the service organization, an ISAE3402 report will be appropriate. Other organizations under supervision of for example the FSA should be able to demonstrate that outsourced processes are under control.
ISAE3402 is the international standard for control over outsourcing. In (international) tenders an ISAE3402 certification will probably be required in outsourcing situations. Another advantage is that your internal processes will alligned and better formalized
Yes, it is required that informationsystems are included in the ISAE3402-report. (ref. ISAE3402.16).
Thisis an example of the European practice. In principal ISAE3402 requires that sample sizes are in line with the reduction of risk to a reasonable level. In the PCAOB-guidelines a sample size of 25 is required for daily controls. These guidelines are not included in the ISAE3402-standard.
A subservice organization is an organization that insources processes of a service organization. If for instance an asset manager outsources the hosting of their servers, this might be considered a subservice situation. The service organization kan opt for a carve-out and refer to the ISAE3402-report of the sub-service organization.
This is a semantic discussion. Strictly a ISAE3402 report is no certification. It is a Service organization control report with an assurance report in accordance with ISAE3402. Generally speaking is referred to an ISAE3402-certification.
Corporate Governance is a general term describing the good, efficient and sound managing of an organisation. In the United States of America, the downfall of Enron and Worldcom have led to the Sarbanes-Oxley law (SOx), in which regulations with regard to internal control and Corporate Governance are established for American stock market listed funds. This means that besides the yearly financial report, there must be a chapter within the yearly report concerning the evaluation of internal control. Companies not of American origin also have to conform to the SOx law when they are listed on the NYSE. In the Netherlands, the Code Tabaksblat is mandatory for all stock market listed companies.