International Standard on Assurance Engagements 3402 (ISAE 3402), titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls. ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB) and published by the International Federation of Accountants (IFAC) in 2009. It supersedes SAS 70. and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.
An ISAE 3402 audit certificate including an audit report is regarded as a quality criterion for service providers that distinguishes them from competitors.
It also pays for a customer to contract with a service provider that holds an ISAE 3402 certificate: the auditor of the customer can rely on the certificate of the service organization, resulting in a reduced necessary audit budget.
Scope, Types and SOC classification
The scope of an ISAE 3402 engagement is control set of the service organization, or to be more precise the service organizations controls over services, functions performed and applications that are likely to be relevant for the customer and its auditor to evaluate the internal control over financial reporting. It is also known as "Internal Control Framework over Financial Reporting" (ICFR). When performing an ISAE 3402 the auditor has to take the position of the customer, selecting and testing controls that are relevant for the customer.
The ISAE 3000 standard is a more general standard for assurance engagements both for financial and non-financial purposes. Assurance engagements according to ISAE 3402 require compliance of the auditor with ISAE 3000.
ISAE 3402 defines two kinds of reports:
- Type I: Documenting a "snapshot" of the organization's controls
- Type II: Documenting over a period of time (typically 12 months) showing controls have been managed over time.
ISAE 3402 is a SOC 1 engagement. SOC is an acronym coined by the American Institute of Certified Public Accountants (AICPA) for service organizations controls, and was re-coined in 2017 as system and organizational controls. AICPA has defined three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 is an abbreviation for SOC for Service Organizations: ICFR. SOC 2 is an abbreviation for SOC for Service Organizations: Trust Services Criteria. SOC 3 is an abbreviation for SOC for Service Organizations: Trust Services Criteria for General Use Report.
SOC 2 engagements are performed on the basis of the more general ISAE 3000, whereas SOC 1 engagements are performed on the basis of ISAE 3402 (see above).
In order to be able to read and understand an ISAE 3402 report, some core terms are essential:
- Criteria: in the context of ISAE 3402, these are comparative standards with which a situation can be assessed. Examples of legal and regulatory criteria are OECD principles, GDPR, MaRisk or GoBD.
- Carve-out method: refers to a method according to which the internal control system of a sub-service provider is not included in the scope of the audit of the service provider. For the service provider's customer, an ISAE 3402 report with a CARVE-OUT is unfavorable because relevant controls may not have been audited. Example: an IT service provider offers its software to the customer as SaaS, but the controls of the data center where the software is operated are not audited.
- Inclusive method: refers to a method whereby a sub-service provider's internal control system is included in the scope (extent) of the service provider's audit. An ISAE 3402 report using the inclusive method is beneficial to a service provider's client.
- Complementary User Entity Controls: The service provider's audit of its ICS assumes that the customer itself performs certain controls and assumes responsibility for them. If the customer was not informed about the Complementary User Entity Controls in advance and did not perform them, the controls implemented at the service provider are not effective (efficient). Example: the service provider operates a data center and expects the customer to promptly inform the service provider about changes in the employees authorized to access the data center. The service provider only grants access to persons who are included on the access list. This control is audited and is effective. However, if the underlying access list is not current, the entire access control is not effective.
- System: A system (service organization's system) is defined as the policies and procedures, and applications, required to provide a customer-related service.
- "ISAE 3402 Assurance Reports on Controls at a Service Organization", IFAC / IAASB
- "ISAE 3402 Implementation Whitepaper Outsourcing Assurance", isae3402.co.uk
- "What is ISAE 3402?", Deloitte
- "Implementing and Maintaining ISAE 3402", Ernst and Young
- International ISAE3402 register, isae3402.co.uk
- ISAE 3402 library, risklane.nl (Dutch)
- ISAE3402 register, isae3402.nl (Netherlands)