ISAE 3402

Organisations increasingly outsource non-core business processes to service providers such as SaaS companies, asset managers, and property management firms. ISAE 3402 is a global standard providing transparency on how services are executed, security handled, and anti-fraud measures implemented. The related ISAE 3402 report helps verify that appropriate controls are in place. These reports are crucial for mitigating risks associated with outsourcing, ensuring that service providers maintain effective control frameworks, especially in sensitive industries like finance. SOC 1 is the equivalent of ISAE 3402 in the US and covers the same scope and it has the same types of reporting.

How to ObtainISAE 3402Certification

01
Understanding Requirements
Familiarise yourself with ISAE 3402 requirements and determine its significance for your organisation and clients.
02
Audit Preparation
Select an independent auditor and define the scope of the audit, including key processes and controls.
03
Documentation and Analysis
Document existing controls and create a control matrix, then conduct a gap analysis to identify deficiencies.
04
Internal Checks
Perform internal tests of controls and update documentation based on testing results.
05
Conduct External Audit
Prepare necessary documentation for the external auditor and provide access to processes and materials.
06
Analyse Results and Improve
Receive the auditor's report, analyse the findings, and implement recommendations for continuous improvement of processes and controls.

Why Key Elements of an ISAE 3402Report

An ISAE 3402 report typically includes

Green clipboard with a checkmark symbol indicating completed task or approval.

Auditor’s Opinion

Details the audit scope, audit period, and whether the report is qualified or unqualified.
Icon of a green square with three horizontal sliders and toggles representing settings or controls.

System Description

Explains how risks are managed, including general IT controls (GITCs) such as logical access, change management, and physical security.
Green magnifying glass icon with a plus sign for zooming in.

Additional Info

Optional section including any additional relevant details.

ISAE 3402 vs. ISO 27001 & SOC 2

Close-up of blue and yellow Ethernet cables connected to a network switch panel.

The ISAE 3402 audit evaluates the design and effectiveness of internal controls impacting financial statements, with the external auditor assessing control design (Type I) and operational effectiveness over time (Type II). The report typically includes are least a control matrix showing the risk management framework, control objectives, control measures, and audit results.

ISAE 3402: Financial Controls and Outsourcing

ISAE 3402 is primarily designed for service organisations that affect the financial reporting of their clients. It focuses on evaluating and reporting on internal financial controls. Commonly used by companies in sectors such as accounting, asset management, and business process outsourcing (BPO) that provide services impacting clients' financial reporting. The main emphasis is on ensuring that the organisation’s controls support accurate financial reporting for its clients, and auditors provide an independent opinion on these controls. Helps organisations demonstrate compliance with external regulatory requirements related to financial reporting.

ISO 27001 & SOC 2: Security & Data Protection

ISAE 3402 is primarily designed for service organisations that affect the financial reporting of their clients. It focuses on evaluating and reporting on internal financial controls.

The Evolution ofISAE 3402

2009
Launch

The IAASB introduced ISAE 3402, providing a framework for assessing internal controls at service organisations.

Alignment with SOC 1

The standard aligned with the AICPA's SOC 1 framework for easier compliance.

2013
2016
Global Recognition

ISAE 3402 gained international acceptance, emphasising transparency and accountability.

Continued Evolution

ISAE 3402 adapts to meet challenges posed by digital transformation and cybersecurity threats.

2021 and Beyond

Training

For organisations complying with ISAE 3402, training is crucial to understand audit requirements, control frameworks, and creating a strong ISAE 3402 report. Specialised consultants can help define controls, conduct risk assessments, and prepare for audits. Regular training ensures internal teams and auditors stay updated with best practices and evolving standards.

Learn more

Access More Information

Learn more about the impact and requirements of ISAE 3402.
Download whitepaper