What are the requirements of ISAE 3402?
Essentially, the ISAE 3402 has a 'free format' regarding the requirements. However, the governing criteria of an ISAE 3402 report are the financial reporting process of your customers, this implies that the General Computer Controls (General IT Controls) are included in the report just as all controls focussed on the financial reporting processes. This could also include operational or production processes.
How can my organization fulfill the ISAE 3402 requirements?
The requirements are limited to general framework requirements only, however general practices for ISAE reporting have many different best practices. If the ISAE 3402 report does not comply with these best practices, the report could be perceived as a report of poor quality.
The relevant processes, the risk management framework, and a detailed control matrix need to be described by an organization. The detailed control matrix has to contain control objectives and control descriptions.
The ISAE 3402 implementation is best described in accordance with international standards for accountants and specific accountants' jargon. After the implementation, all procedures and controls need to be in place. All working procedures, management of the process, and discipline of the organization require uniformity to comply with the described procedures in the report.
What are the costs for an ISAE 3402 implementation?
The costs depend on the scale of the implementation and the organization. Our software solution ControlReports provide an organization the option to implement all procedures internally without hiring external resources. The costs of the license are EUR 3.090.
Risklane best practice for risk management is based on more than 25 years of in-depth experience with implementing control frameworks, which is all combined in the ControlReports license. If an organization has resources with internal control knowledge no further costs will be applicable. To illustrate, a typical IT client with 50-250 employees, hires additional consultants for approximately 3-5 days. The hourly costs for additional consultants vary from EUR 125-350.
If our consultants are hired to implement the full process, the approximate resources required range from 80 days to 120 days for a typical IT services (SaaS or managed services) client. The resources required differ per industry, size of the organization, complexity, and the impact of financial and operational processes apart from the General Computer Controls (General IT controls).
Do we need an ISAE 3402 audit each year?
In general, an ISAE 3402 audit is performed each year. Although this is often based on the specific requirements of your customer. Typically, a calendar or fiscal year period under review is required by customers.