Cloud services and ISAE 3402 | SOC 1
Within IT outsourcing and Cloud services, the demand for ISAE 3402 has increased significantly. The ISAE 3402 register contains an impressive list of SaaS and hosting providers that are ISAE 3402 certified. What is the reason for this increased demand in the IT sector and more specifically in the Cloud Services Industry; SaaS, IaaS, PaaS and datacenter services? ISO 27001 is an important international certification standard for information security. So why has the demand for ISAE 3402 certification increased in the IT sector? An important reason is that more and more crucial systems of organizations are offered from the Cloud. Then why is ISAE 3402 so important and why is ISO 27001 not sufficient? The answer to this starts in the financial sector.
Financial institutions are required by law and regulations, such as the Pensions Act or the Wft, to demonstrably control risks with regard to outsourcing. An ISO 27001 certification is not regarded by either the Dutch Central Bank or the AFM as a sufficient guarantee. The Dutch Central Bank sees ISAE 3402 as a sufficient guarantee and even requires such a report in legislation and regulations.
Accountants and corporates
In addition to financial institutions, accountants play an important role. Organizations that are subject to audits are increasingly using Cloud services. As a result, accountants must include the processes on systems in the Cloud in the annual audit. For these audits, accountants often 'rely' on ISAE 3402 assurance reports from specialized service auditors. In addition, the framework of standards is important.
In contrast to ISO 27001, ISAE 3402 has a standard framework; the annual accounts or more specifically; all processes that are important for the internal organization of the user organization and specifically aimed at the annual accounts. So, all processes that lead to financial processing in the annual accounts. In many organizations, data from operational processes is stored in the Cloud or operational processes are outsourced to a SaaS provider or hosted by a hosting party. These operational processes almost always have a direct or indirect influence on the financial statements. As indicated above, these processes will be important for auditors when carrying out the annual audit.
An accountant cannot derive any value from an ISO 27001 certification. In such a case, an ISAE 3402 certification is recognizable for an external accountant and can also be used (technically) for the annual audit of the user organization. Unlike ISO 27001, ISAE 3402 has no detailed standards for information security. In practice, the CobiT 5 framework is usually used here because this framework of standards is sufficient to guarantee information security for annual accounts. For these reasons, an ISAE 3402 report often has more added value for both user organizations and their accountants; after all, in addition to security components of ISO 27001, all processes that have an effect on the annual accounts are also included.
An important question for the future is how to deal with Cloud Security. In many cases, it is not clear where information is stored in the Cloud and whether the countries where this data is stored also comply with, for example, the General Data Protection Regulation (GDPR). To what extent does a Cloud Service Provider have processes in order, which security guidelines are used and how are operational IT risks managed?
In the US, the government requires that all parties that provide cloud services to the government must comply with the FedRAMP guidelines. Such requirements have not yet been formulated for private parties, not even from the American Sarbanes Oxley (SOx404 requirements). Primarily, in the case of outsourcing by listed organizations, the SSAE18 requirements must be met. These are largely in line with ISAE 3402 requirements. The ISAE 3402 certification also offers an opportunity in this case. After all, if SSAE18 is complied with, certification can also be carried out in accordance with the SSAE18 requirements with a fairly limited effort.
Based on the above, it can be concluded that ISAE 3402 can be used for multiple purposes, both to demonstrate to a client that the outsourced processes are 'well' controlled, and an ISAE 3402 can also be used by the external auditor.