Skip to main content

Background of ISAE 3402

The International Federation of Accountants (IFAC) published a new Attestation Standard, ISAE 3402 on 15 June 2011. ISAE 3402 superseded existing guidance (SAS 70) for performing an examination of a service organization's controls and processes. The SAS 70 has developped to the SSAE 16 (US) and ISAE 3402 (international) standard. Latest developments are towards seperate reports for outsourcing ISAE 3402 and General IT Controls (SOC 2). Internationally SOC 2 reports are audited in accordance with the ISAE 3000 standard and Trust Service Principles


SAS 70 had become a well-known acronym representing an in-depth audit of a third-party service organization because of increasing of outsourcing of IT to service organizations. With the passage of the Sarbanes-Oxley Act of 2002, the Public Company Accounting Oversight Board (PCAOB) the demand for assurance over outsourcing dramatically increased in the United States.
An important part of the Sarbanes-Oxley Act was the Guide to Internal Control Over Financial Reporting (ICFR). In the ICFR guides the process used by U.S. public companies to enhance the reliability of their financial statements by reducing the risk of material errors or misstatements is described.

Supervisory Authorities

As a consequence of increased oversight by supervisory authorities and the requirements in laws and regulations for effective control over outsourcing by financial institutions, the demand for outsourcing assurance and ISAE 3402 increased in different industries, such as IT service providers, asset managers, datacenters and property managers.

In the early years of using SAS70, many organizations completed SAS70 type I reports to show that they were SAS70 certified. Auditors of pension funds gave rise to the demand for more certainty over a specific period, for which the SAS70 type II standard was developed.

International Standard

In an effort to move toward international accounting standards, the IFAC issued International Statement on Assurance Engagement 3402 in June 2011. It replaced SAS 70 internationally and was designed to closely mirror Standards for Attestation Engagements 16 (SSAE 16).
The AICPA has replaced SSAE 16 with a new standard effective for report dates on or after May 1, 2017. This new standard, known as SSAE 18, is designed to address and clarify concerns over the clarity, length and complexity of the many other AICPA standards.
In the UK the demand for ISAE 3402 reports has increased as a consequence of the Brexit and the decreased demand for the AAF 01/04 standard.

SOC1 and SOC2 reports

In the SSAE18 standards a distinction is made between a Systems and Organization Control (SOC) 1 assessment and a SOC 2. A SOC 1 report is comprised of control objectives used to accurately represent internal control over financial reporting (ICFR). A SOC2 report is based on the Trust Service Criteria.
Internationally for SOC2 reporting the International Standard on Assurance Engagements (ISAE 3000) is used for reporting on the Trust Services criteria on security, privacy, availability, confidentially and processing integrity, and including the description on the services provided and the controls tested.