Skip to main content
ISAE 3402 report

Third Party Risk and ISAE 3402

From full outsourcing of complex functions like IaaS, PaaS services or component manufacturing to small contracts with local service providers and suppliers, organizations in different industries with different magnitude rely heavily on third-party service organizations.
Outsourcing activities results in cost savings, operational efficiencies or expansion of expertise in the organization. Outsourcing also implies expanding risk exposure. Understanding, analyzing and effectively responding to risks as part of an enterprise risk management (ERM) approach is essential for minimalization of exposure to financial losses, regulatory noncompliance and reputational damage.  

Understanding third-party risk

Third-party risk isn’t limited to multinational companies that outsource major business functions to offshore vendors. In today’s world most organizations interact with service organizations on a regular basis as part of regular business operations as discussed in prior chapter. Even small companies rely on service organizations for different kinds of activities from hosting of servers, IT support to salary processing. The increase of outsourcing to third parties equally increases potential risks organizations are subject to.  


The analysis of this third-party risk at any given point in time is essential for business continuity and maximizing the impact of the risk management efforts. Given the highly dependence of data in most companies, any third party with access to sensitive- or confidential information can pose a potential risk for business continuity. In outsourcing risks, as with other categories of risk degrees and hierarchies can be considered. These hierarchies and degrees form the basis for the setting of risk priorities by management and the basis for the risk framework in an ISAE 3402 | SOC1 report.

Risk priortizing and ISAE 3402

Setting risk priorities is not a one-time exercise, all parameters can be adjusted through time, depending on factors ranging from economic developments to changes in the - regulatory environment to evolving strategic initiatives. While not an exhaustive list, the types of third parties that typically pose a higher degree of risk to your organization include service organizations such as:   

  • - Cloud computing/on-demand computing
  • - Software-as-a-Service (SaaS)
  • - Internet service providers (ISPs)
  • - Credit card processing platforms
  • - Online order fulfilment
  • - Datacenter and co-Location providers
  • - HR and payroll services
  • - Third-party administrators (TPAs)
  • - Print and mail services
  • - Third-party logistics (3PL) services
  • - Accounts receivable processing and debt collection services
  • - Third-party due diligence

Proper due diligence before entering into a new third-party contract is just a start.  Just like enterprise risks, third-party risk should be regularly and proactively be managed throughout the life of a vendor relationship because parameters adjust through time. This implies leveraging internal audit, finance, legal and—in many cases—independent auditors providing an ISAE 3402 assurance opinion.