Our support available to help you 24 hours a day, seven days a week.
Monday-Friday: 9am to 5pm
Saturday: 10am to 2pm
Monday-Friday: 9am to 5pm
Saturday: 10am to 2pm
Organizations increasingly outsource non-core business processes to service organizations. The service may be outsourced to Software-as-a-Service (SaaS) providers, asset managers or property management organizations. In outsourcing situations many questions may arise, including: Are services executed in a controlled manner? How is security dealt with? Who has access to the information? Are sufficient anti-fraud measures present? ISAE 3402 provides a solution for these outsourcing risks.
Outsourcing of business processes to external providers expanded exponentially with the growth of the opportunities the cloud provided. Asset managers performed services for investors. Brokers performed services for asset managers. Next to this traditional outsourcing, software was no longer provided on premises, but as a service (‘SaaS’). Software development companies again, made use of managed service providers and Infrastructure As A service (‘IaaS’) and Platform As A Service (‘PaaS’)-providers.
All these Cloud Services such as SaaS-servers are typical provided on virtualised servers (VPS). Each step in the process brought new opportunities and new risks. And ISAE 3402 brought a solution for these risks by providing transparency and attestation. An ISAE3402- or SOC1 report describes the controls in place at a service providers such as a SaaS providers. Describing which software and infrastructure controls are in place. An external auditor provides an opinion on the effectiveness of these controls.
A broker uses software (‘SaaS’) software that enables efficient clearing of stock transactions. The SaaS-provider hosts the software on virtualized servers provided by a RedHat, a PaaS-providers. Servers are physically located in Amazon (AWS) datacentres in Houston, Texas. The question might rise whether the SaaS-provider has change management procedures in order or whether Amazon employees or other visitor of the datacentre can physically access the halls where the server of the SaaS-provider is located.
Since the stock transactions probable will contain confidential data, all risks in the outsourcing chain should be mitigated. An ISAE 3402 | SOC1 report can solves these concerns; Amazon will provide a SOC1 report describing which employees can access the datacentre and how this is controlled. The PaaS-provider will provide an ISAE 3402 report in which security is covered and the SaaS-provider will report on change management. Each report is ‘linked’ to the other by the scope definition, providing comfort to all parties involved.
Implementing ISAE 3402 implies that the control framework is described; all monitoring controls, all application controls, and General IT Controls relevant for your client (‘the user organization’). These controls should be described in the SOC1 report . Typically, such a report is based on the COSO framework and includes a description of the organization, the risk analysis process, and a control matrix in which all control objectives are matched to the relevant controls.
Consultancy firms in the UK and Europe can provide assistance with describing your control framework in compliance with the legal and regulatory frameworks and the best practices. After the description of the control framework a Service auditor should be hired to perform the ISAE 3402 attestation. These services are typically provided by specialized ISAE assurance companies such as KPMG, Deloitte or Certicus.
The scope of the external auditor’s examination includes both those classes of transactions in the service organization’s operations that are significant to the organization’s financial statements and processes that are specifically defined by the service organization.
A Service Organization Control Report (SOC) is a term which originated in the US. The US equivalent of ISAE 3402 is the SSAE18 (SOC1) standard. The contents of a ISAE 3402 and SSAE 18 is generally the same, only minor requirements are different in both standards.
The ISAE 3402 standard, is an international recognized auditing standard issued by the International Auditing and Assurance Standards Board (IAASB). A service organization’s auditor’s examination performed in accordance with ISAE No. 3402 (“ISAE 3402 Audit”) is widely accepted, because it represents an in-depth audit of a service organization’s control objectives and activities. These activities often include controls over information technology and related processes.