Skip to main content

Organizations increasingly outsource non-core business processes to service organizations. The service may be outsourced to Software-as-a-Service (SaaS) providers, asset managers or property management organizations. In outsourcing situations many questions may arise, including: Are services executed in a controlled manner? How is security dealt with? Who has access to the information? Are sufficient anti-fraud measures present? ISAE 3402 provides a solution for these outsourcing risks.


More than 300 professional organizations are registered in the ISAE 3402 index. Please click to consult en see which organizations are registered.
Consult ISAE index


Outsourcing of business processes to external providers expanded exponentially with the growth of the opportunities the cloud provided. Asset managers performed services for investors. Brokers performed services for asset managers. Next to this traditional outsourcing, software was no longer provided on premises, but as a service (‘SaaS’). Software development companies again, made use of managed service providers and Infrastructure As A service (‘IaaS’) and Platform As A Service (‘PaaS’)-providers.

Scope SOC 1

All these Cloud Services such as SaaS-servers are typical provided on virtualised servers (VPS). Each step in the process brought new opportunities and new risks. And ISAE 3402 brought a solution for these risks by providing transparency and attestation. An ISAE 3402 or SOC 1 report describes the controls in place at a service providers such as a SaaS providers. Describing which software and infrastructure controls are in place. An external auditor provides an opinion on the effectiveness of these controls.


A broker uses software (‘SaaS’) software that enables efficient clearing of stock transactions. The SaaS-provider hosts the software on virtualized servers provided by a RedHat, a PaaS-providers. Servers are physically located in Amazon (AWS) datacentres in Houston, Texas. The question might rise whether the SaaS-provider has change management procedures in order or whether Amazon employees or other visitor of the datacentre can physically access the halls where the server of the SaaS-provider is located.

Since the stock transactions probable will contain confidential data, all risks in the outsourcing chain should be mitigated. An ISAE 3402 | SOC 1 can solves these concerns; Amazon will provide a SOC 1 report describing which employees can access the datacentre and how this is controlled. The PaaS-provider will provide an ISAE 3402 report in which security is covered and the SaaS-provider will report on change management. Each report is ‘linked’ to the other by the scope definition, providing comfort to all parties involved.

ISAE 3402 in practice

How can ISAE 3402 help your company to manage risks and be more transparant to suppliers? The following will provide answers to these questions:
A SOC 1 report is a term that originated in the US. Generally, a SOC 1 report and an ISAE 3402 report are the same. In practice these terms are used as synonyms. Formally, a SOC 1 report is attested by an US CPA and an ISAE 3402 report is attested by an international auditor who works in compliance with the IFAC requirements.

Implementing ISAE 3402 implies that the control framework is described; all monitoring controls, all application controls, and General IT Controls relevant for your client (‘the user organization’). These controls should be described in the SOC 1 report. Typically, such a report is based on the COSO framework and includes a description of the organization, the risk analysis process, and a control matrix in which all control objectives are matched to the relevant controls.

Consultancy firms in the UK and Europe can provide assistance with describing your control framework in compliance with the legal and regulatory frameworks and the best practices. After the description of the control framework a Service auditor should be hired to perform the ISAE 3402 attestation. These services are typically provided by specialized ISAE assurance companies such as KPMG, Deloitte or Certicus.

The scope of the external auditor’s examination includes both those classes of transactions in the service organization’s operations that are significant to the organization’s financial statements and processes that are specifically defined by the service organization.

A Service Organization Control Report (SOC) is a term which originated in the US. The US equivalent of ISAE 3402 is the SSAE18 (SOC 1) standard. The contents of a ISAE 3402 and SSAE 18 is generally the same, only minor requirements are different in both standards.

An ISAE 3402 report limits the number and provides audit firms detailed insight into relevant risks, how these risk are controlled, and an official assurance report provided by an external auditor on the operating effectiveness of the entire framework.


ISAE 3402 and outsourcing

SOC 1 reports

The ISAE 3402 standard, is an international recognized auditing standard issued by the International Auditing and Assurance Standards Board (IAASB). A service organization’s auditor’s examination performed in accordance with ISAE No. 3402 (“ISAE 3402 Audit”) is widely accepted, because it represents an in-depth audit of a service organization’s control objectives and activities. These activities often include controls over information technology and related processes.