Skip to main content

Outsourcing asset management

ISAE 3402 is the standard for reporting on internal control of a service organisation to an organization that outsources activities. These organizations can focus on their core activities and outsource activties required to run their operations to other organizations.


An example of a service organization that needs a SOC 1 report is a company that provides asset management to financial institutions. The institutions (user organizations) that use the asset management company will realize the material impact of investement processes on their financial statements and request independent assurance that their investments are being processed and handled in accordance with their requirements. An ISAE 3402 report provides user entities of the asset management company reasonable assurance that the internal controls of the investment processes are suitably designed (Type I report) or suitably designed and operating effectively (Type II report).

Sections ISAE 3402 report

ISAE 3402 report typically consists of five sections:
  1. The assurance opinion of the external auditor
  2. An assertion written by management of the service organization
  3. The description of a service organization’s system
  4. Description of Tests of Controls and Results of Testing
  5. Other Information
Sections are not required by the ISAE 3402 standard, but an industry best practice for the layout of an ISAE 3402 report.

Auditor's opinion and management assertion

In the first two sections the auditor’s report and management assertion are included. In the auditor's report the scope of the audit (services included), the test period of the audit (Type 2) or report as-of-date (Type 1) and type of opinion being issued, and whether the ISAE 3402 report is qualified or unqualified. In the management’s assertion, management of the service organization makes a number of management statements including an assertion that the description of the system fairly presents the system (Type 2). The control objectives were suitably designed (Type 1) or suitably designed and operating effectively (Type 2), and discussion of the criteria used to make the assertion.

Description of the system

The description of a service organization’s system a general description of risk management (in accordance with COSO 2017 ERM or COSO 2013) is included in the ISAE 3402 report which describes how risks are identified and managed. The description also includes all processes, policies, procedures, personnel and operational activities that constitute the service organization’s services that are relevant for the annual report of the user organization. This typically includes all operational and/or financial processes executed by the service organization for the user organization. The General IT Controls or GITC's are also included in the description of the system.

General IT Controls

The General IT controls (ITGC) are controls that applicable to all processes, systems and and data of the organization over the information technology (IT) environment. The General IT Controls that should be included in an ISAE 3402 report are:

  1. Logical access over the infrastructure, systems, applications, and data
  2. Change management of applications
  3. Data center physical security controls
  4. Data integrity; data backup and recovery controls
  5. Computer operation controls