Skip to main content
An ISAE 3402 certification actually does not exists. An ISAE 3402 assurance is a report which states that outsourced processes executed are controlled in such a matter that financial reporting is accurate and complete. ISAE 3402 is not a certification like ISO 27001. For an ISAE3402 reporting, a Systems and Organization Controls report is required. A Systems and Organization Controls report describes all controls relevant for financial reporting of the user organization. An ISAE 3402 report is the equivalent of an SSAE18 SOC 1 report in the US. The first step, therefore, is preparing the Systems and Organization Controls report. An organization can prepare this report themselves or hire a specialized consulting company. This SOC report should be audited by an external auditor. The auditor issues an assurance report with the SOC if he agrees that all controls exist (type I) and operate effectively (type II). The SOC report should be prepared in accordance with the ISAE3402 guidelines. All relevant controls for financial reporting are required to be included and should be auditable. For a typical organization, this requires more formalization of controls.
Processes, specifically IT processes are increasingly outsourced to service organizations. If data is handled by external service providers this increases information security. As a consequence of the increased outsourcing. Many organizations focus on core activities and outsource non-core processes. As a consequence of decreased trust among parties the demand for control over outsourcing increases.
An ISAE3402-report will be audited by an external auditor. The reporting should be prepared in accordance with audit regulations. If the responsible co-workers have an audit background this will improve the process of preparation. Specialized organizations can assist you with the preparation of the report and manage the audit process.
If processes are insourced by your enterprise and these process will have a material impact on the annual report of the service organization, an ISAE3402 report will be appropriate. Other organizations under the supervision of for example the FSA should be able to demonstrate that outsourced processes are under control.
ISAE3402 is the international standard for control over outsourcing. In (international) tenders an ISAE3402 certification will probably be required in outsourcing situations. Another advantage is that your internal processes will be aligned and better formalized.
Yes, it is required that information system are included in the ISAE3402-report. (ref. ISAE3402.16).
This is an example of the European practice. In principal ISAE3402 requires that sample sizes are in line with the reduction of risk to a reasonable level. In the PCAOB-guidelines a sample size of 25 is required for daily controls. These guidelines are not included in the ISAE3402-standard.
A subservice organization is an organization that insources the processes of a service organization. If for instance, an asset manager outsources the hosting of their servers, this might be considered a subservice situation. The service organization can opt for a carve-out and refer to the ISAE3402-report of the sub-service organization.
This is a semantic discussion. Strictly an ISAE3402 report is no certification. It is a Service Organization control report with an assurance report in accordance with ISAE3402. Generally speaking, is referred to as an ISAE3402-certification.
Corporate Governance is a general term describing the good, efficient, and sound management of an organization. In the United States of America, the downfall of Enron and Worldcom have led to the Sarbanes-Oxley law (SOx), in which regulations with regard to internal control and Corporate Governance are established for American stock market listed funds. This means that besides the yearly financial report, there must be a chapter within the yearly report concerning the evaluation of internal control. Companies not of American origin also have to conform to the SOx law when they are listed on the NYSE. In the Netherlands, the Code Tabaksblat is mandatory for all stock market listed companies.