ISAE 3402 Audit

ISAE 3402 Audit

15 March, 2022

Our auditors use the so-called ISAE 3402 audit to answer the important question of how ‘in control’ a service organisation is. More and more companies are now outsourcing non-core processes to external parties. This increases the need for greater accountability of the process control in service organisations. An ISAE 3402 statement offers insight and assurance.

What is an ISAE 3402 report?

An ISAE 3402 audit is a means for auditors to examine process control in service organisation, for example at IT service providers, asset managers, debt collection agencies or other service providers whose processes affect the user’s financial accountability. The main question here is: ‘How does the service organisation manage its processes?’. This question addresses topics such as risk management, information security and operational excellence. ISAE 3402 goes several steps further than ISO 27001, for example.

What does ISAE 3402 stand for?

ISAE stands for International Standard for Assurance Engagements and is a broadly accepted format. Adding 3402 behind the standard indicates that it concerns the internal control in a service organisation and, more specifically, the impact that a service organisation’s processes have on the financial accountability of the user.

What types of ISAE 3402 reports are there?

There are two different types of ISAE 3402 engagements. For an ISAE 3402 type 1 report, the auditor examines the processes and control measures in terms of their design and existence. It’s basically a snapshot. At a given moment, the auditor looks at whether the process in question is performed in line with the documented procedures and assesses whether the implemented measures are sufficient to manage the current risks. In an ISAE 3402 type 2 report, the auditor has the added task of examining how the described measures are carried out in practice, i.e. the auditor checks whether the control measures described have also worked over a defined period, usually six months to a year.

Why do an ISAE 3402 audit?

Clients of service organisations, also known as user organisations, want to know if ‘everything’ is properly arranged. Businesses outsource certain processes and want to know they can rely on this external partner. This means that for service organisations, it serves as a means of third-party compliance. And it gives businesses the peace of mind and assurances they need that the processes are in good hands.

Auditors of user organisations are also demanding ISAE 3402 reports more often. The processes that a service organisation performs often influence the financial processes and therefore have an effect on the user organisation’s annual financial statements.

What comes out of an ISAE 3402 audit?

The result of an ISAE 3402 audit is an ISAE 3402 report with an official statement. This can be type 1 or type 2 (the difference is explained above). A service organisation can use the report and statement to show accountability in the chain to user organisations.

To whom do ISAE 3402 audits apply?

We perform ISAE 3402 audits at service organisations and look specifically at the (elements of) processes that have an impact on financial reporting. Service organisations often receive several requests from clients for audits or additional information about managing the service that was provided. To avoid having to answer all these questions separately, a service organisation can perform an ISAE3402 audit. The ISAE3402 report, which is done by an independent auditor, is a useful way to answer most questions that clients have. It is for this purpose that service organisations commission us to perform an ISAE 3402 audit.

When SOC 2 and when ISAE 3402?

An ISAE 3402 report is the European counterpart of SOC 1 (Service Organisation Control) and applies to processes that are related to financial accountability. Does the assurance that the service organisation wishes to provide focus mainly on matters such as security, availability, process integrity, confidentiality or privacy? Then SOC 2 compliance is perhaps the better option. SOC 2 follows internationally accepted trust service principles (TSP). If you need any help selecting the right reporting standard for your business, please contact us. Would you like to read more on this subject? Read this (dutch) paper.

Get in touch with our experts

Lucas Vousten | 040 240 9516 |
Ties Meesters | 040 240 9459 |

Our expertise also expands to assessments in the fields of IT security and forensic IT. Read more about what our IT Assurance team can do for you.

Contact us