The ISAE 3402 standard, is an international recognized auditing standard issued by the international Auditing and Assurance Standards Board (IAASB). A service organization's auditor's examination is widely accepted, because it represents an in-depth audit of a service organization's control objectives and activities. The control framework and related controls are in detail included in the Systems and Organization Report (SOC). The scope of an ISAE 3402/SOC report consists of controls over information technology and operational processses which impact the finance of an organization.
SOC reports can be distinguished in SOC1 and SOC2 reports. An ISAE 3402/SOC1 is focused on the financial statements and all processes that impact these. An ISAE 3000 (or SOC2) report is focused on meeting a broader set of user needs, including concerns over privacy, confidentiality and availability of systems. SOC2 reports are based on the Trust Services Principles and Criteria in a modular way.
Type I and Type II
An ISAE 3402 Type I report includes an opinion of an external auditor on the controls in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place. In a ISAE 3402 Type II report, the external auditor reports also on the operating effectiveness of these controls during a predefined period. ISAE 3402 reports most commonly cover design and operations effectiveness of controls for a 12-month period with continuous coverage from year to year. A report may cover a period with a minimum of six months.
Alligning external requirements to internal risk excellence
In outsourcing situations many questions may arise, Are services executed in a controlled manner? How is security dealt with? Who has access to our information? Are sufficient anti-fraud measures implemented? ISAE 3402 provides a solution for these issues.
ISAE 3402 supports organizations in measuring and evaluating risks and aligning the resulting control framework to strategic objectives and these risks. A onetime investment in the framework pays off by improving market confidence and organization excellence