ISAE 3402

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

ISAE 3402 is an assurance standard. The title is "Assurance Reports on Controls at a Service Organization" and it is also known as "Internal Control Framework over Financial Reporting" (ICFR) . It was published in June 2011 as a standard for documenting that a service organisation has adequate internal controls; the approach is always from a financial reporting perspective,[1][2]for all other purposes one would use a ISAE 3000. In SOC terms, an ISAE 3402 is a SOC1. ISAE stands for "International Standard for Assurance Engagements".

Like SAS 70 and SSAE 16, ISAE 3402 prescribes Service Organization Control reports, which help give assurance to the organisation's customers and service users, who may have their own assurance needs.[3] There are two kinds of ISAE 3402 reports:

  • Type I: Documenting a "snapshot" of the organisation's controls
  • Type II: Documenting over a period of time (typically 6 months) showing controls have been managed over time.[4]

ISAE 3402 was developed by the IAASB (International Auditing and Assurance Standards Board), but it is also supported by the IFAC (International Federation of Accountants). It supersedes SAS 70,[5] and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.

See also[edit]

External links[edit]


  1. ^ "Third party assurance (e.g. ISAE 3402)". Deloitte. Retrieved 12 June 2017.
  2. ^ "ISAE 3402 Type II Service Organization Control - SOC Reporting". Rackspace. Retrieved 10 May 2015.
  3. ^ "ISAE 3402 Services". A-LIGN. Retrieved 10 May 2015.
  4. ^ "Service organization control (SOC) reports". Retrieved 10 May 2015.
  5. ^ "ISAE 3402". ICC. Retrieved 9 May 2018.