ISAE 3402

Gavias Slider Slider Expertise ISAE 3402 (2)

Gavias Blockbuider Clone ISAE 3402 optie 2

Internal Control over Financial Reporting

Non-core business processes are increasingly outsourced to service organizations. An ISAE 3402 report provides assurance over outsourcing regarding financial processes. Due to the growing demand for control over outsourced activities, ISAE 3402 emerged. The outsourced services can be Software-As-A-Service (SaaS) providers, asset managers, data centres, property managers, etc. A FAQ and further detailed information on ISAE 3402 are outlined below.

What are the requirements of ISAE 3402?

Essentially, the ISAE 3402 has a 'free format' regarding the requirements. However, the governing criteria of an ISAE 3402 report are the financial reporting process of your customers, this implies that the General Computer Controls (General IT Controls) are included in the report just as all controls focussed on the financial reporting processes. This could also include operational or production processes.

How can my organization fulfill the ISAE 3402 requirements?

The requirements are limited to general framework requirements only, however general practices for ISAE reporting have many different best practices. If the ISAE 3402 report does not comply with these best practices, the report could be perceived as a report of poor quality.

The relevant processes, the risk management framework, and a detailed control matrix need to be described by an organization. The detailed control matrix has to contain control objectives and control descriptions.

The ISAE 3402 implementation is best described in accordance with international standards for accountants and specific accountants' jargon. After the implementation, all procedures and controls need to be in place. All working procedures, management of the process, and discipline of the organization require uniformity to comply with the described procedures in the report.

What are the costs for an ISAE 3402 implementation?

The costs depend on the scale of the implementation and the organization. Our software solution ControlReports provide an organization the option to implement all procedures internally without hiring external resources. The costs of the license are EUR 3.090.

Risklane best practice for risk management is based on more than 25 years of in-depth experience with implementing control frameworks, which is all combined in the ControlReports license. If an organization has resources with internal control knowledge no further costs will be applicable. To illustrate, a typical IT client with 50-250 employees, hires additional consultants for approximately 3-5 days. The hourly costs for additional consultants vary from EUR 125-350.

If our consultants are hired to implement the full process, the approximate resources required range from 80 days to 120 days for a typical IT services (SaaS or managed services) client. The resources required differ per industry, size of the organization, complexity, and the impact of financial and operational processes apart from the General Computer Controls (General IT controls).

Do we need an ISAE 3402 audit each year?

In general, an ISAE 3402 audit is performed each year. Although this is often based on the specific requirements of your customer. Typically, a calendar or fiscal year period under review is required by customers.

ISAE 3402

Outsourced services require that information from a service organization is acquired to assess and address the risks associated with outsourced services. An ISAE report is an internal control report that provides this information. ISAE 3402 is the standard for assurance on financial processes (or processes with a financial impact for the user organization). A risk management framework, a description of controls, and an assurance (audit) opinion of an independent auditor are typically included in an ISAE 3402 report.

Industries

Organizations providing services to other organizations, e.g. Asset Managers, Pension Services Providers, Software As A Service (SaaS)-providers, Infrastructure As A Service (IaaS)-providers, Platform As A Service (PaaS)-providers, and Data centre Services providers are generally required to implement an ISAE 3402. If outsourced processes are related to financial processes ISAE 3402 is relevant. An ISAE 3000 or SOC 2 might be more relevant if the processes are related to General IT Controls (GITC's).

Why is ISAE 3402 widely used for providing assurance?

Background

The American Institute of Certified Public Accountants (AICPA) issued an internationally recognized auditing standard: ISAE 3402. A Service organization’s auditor's examination performed in accordance with ISAE 3402 is widely recognized, because it represents an in-depth audit of a service organization’s control objectives and control activities, which often include controls over information technology and related processes. Service organization improves their ability to perform outsourcing services to corporates which most likely result in more trust in the services provided. Included in the scope of examination of the external auditor are the classes of transactions in the service organization’s operations that are significant to the user organization’s financial statements, and processes that are specifically defined by the service organization.

Institutions such as banks, pension funds, and insurers must have control over outsourced processes to service organizations, this is required by the supervisory authorities of financial institutions. Laws and regulations require these institutions to acquire this information of their service organizations by means of an ISAE report in compliance with ISAE 3402; the standard for assurance over outsourcing regarding financial processes. ISAE 3402 is the US successor of the SAS70 standard since 2011. The SAS70 standard was internationally replaced by ISAE 3402. By providing assurance on outsourced processes via an ISAE 3402 report, insight is provided into the effectiveness of the execution of services, the security controls surrounding these services, and the presence of sufficient anti-fraud measures.

Reporting types explained

ISAE 3402 reports

When an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization") ISAE 3402 is applicable. An ISAE 3402 report allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of the audit. ISAE 3402 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach for the audit of financial statements. A service auditor may issue two types of reports; a Type I report or a Type II report.

Type I report

An ISAE 3402 Type I report includes an opinion of an external auditor on the controls placed in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place.

Type II report

In an ISAE 3402 Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls in a predefined period of six months minimum. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with the predefined processes and controls.