HOME

TheInfoList



OR:

International Standard on Assurance Engagements 3402 (ISAE 3402), titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate
internal controls Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A b ...
. ISAE 3402 was developed by the
International Auditing and Assurance Standards Board The International Auditing and Assurance Standards Board (IAASB) is an independent standards body that issues standards, like the International Standards on Auditing, quality control guidelines, and other services, to support the international aud ...
( IAASB) and published by the
International Federation of Accountants The International Federation of Accountants (IFAC) is the global advocacy organization for the accountancy profession; mainly for the financial accounting and auditing professions. Founded in 1977, IFAC has more than 175 members and associates i ...
(IFAC) in 2009. It supersedes
SAS 70 SAS or Sas may refer to: Arts, entertainment, and media * ''SAS'' (novel series), a French book series by Gérard de Villiers * ''Shimmer and Shine'', an American animated children's television series * Southern All Stars, a Japanese rock ba ...
. and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls. An ISAE 3402 attestation including an audit report is regarded as a quality criterion for service providers that distinguishes them from competitors. It also pays for a customer to contract with a service provider that holds an ISAE 3402 attestation: the auditor of the customer can rely on the attestation of the service organization, resulting in a reduced necessary audit budget.


Scope, Types and SOC classification

The scope of an ISAE 3402 engagement is control set of the service organization, or to be more precise the service organizations controls over services, functions performed and applications that are likely to be relevant for the customer and its auditor to evaluate the internal control over financial reporting. It is also known as "Internal Control Framework over Financial Reporting" (ICFR). When performing an ISAE 3402 the auditor has to take the position of the customer, selecting and testing controls that are relevant for the customer. The ISAE 3000 standard is a more general standard for assurance engagements both for financial and non-financial purposes. Assurance engagements according to ISAE 3402 require compliance of the auditor with ISAE 3000. ISAE 3402 defines two kinds of reports: * Type I: Documenting a "snapshot" of the organization's controls * Type II: Documenting over a period of time (typically 12 months) showing controls have been managed over time. ISAE 3402 is a SOC 1 engagement. SOC is an acronym coined by the American Institute of Certified Public Accountants (AICPA) for service organizations controls, and was re-coined in 2017 as system and organizational controls. AICPA has defined three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 is an abbreviation for ''SOC for Service Organizations: ICFR''. SOC 2 is an abbreviation for ''SOC for Service Organizations: Trust Services Criteria''. SOC 3 is an abbreviation for SOC for Service Organizations: Trust Services Criteria for General Use Report. SOC 2 engagements are performed on the basis of the more general ISAE 3000, whereas SOC 1 engagements are performed on the basis of ISAE 3402 (see above).


Definitions

In order to be able to read and understand an ISAE 3402 report, some core terms are essential: * Criteria: In the context of ISAE 3402, these are comparative standards with which a situation can be assessed. Examples of legal and regulatory criteria are OECD principles, GDPR, MaRisk or GoBD. * Carve-out method: Refers to a method according to which the internal control system of a sub-service provider is not included in the scope of the audit of the service provider. For the service provider's customer, an ISAE 3402 report with a CARVE-OUT is unfavorable because relevant controls may not have been audited. Example: an IT service provider offers its software to the customer as SaaS, but the controls of the data center where the software is operated are not audited. * Inclusive method: Refers to a method whereby a sub-service provider's internal control system is included in the scope (extent) of the service provider's audit. An ISAE 3402 report using the inclusive method is beneficial to a service provider's client. * Complementary User Entity Controls: The service provider's audit of its ICS assumes that the customer itself performs certain controls and assumes responsibility for them. If the customer was not informed about the Complementary User Entity Controls in advance and did not perform them, the controls implemented at the service provider are not effective (efficient). Example: the service provider operates a data center and expects the customer to promptly inform the service provider about changes in the employees authorized to access the data center. The service provider only grants access to persons who are included on the access list. This control is audited and is effective. However, if the underlying access list is not current, the entire access control is not effective. * System: A system (service organization's system) is defined as the policies and procedures, and applications, required to provide a customer-related service.


See also

* ISAE 3000 *
Sarbanes–Oxley Act The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act, (), also known as the "Public Company Accounting Reform and Investor Protect ...
*
SSAE 16 Statement on Standards for Attestation Engagements no. 16 (SSAE 16) is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statem ...
* SSAE No. 18


References

{{reflist


External links


ISAE 3402 Assurance Reports on Controls at a Service Organization
(IFAC)
ISAE 3402 Implementation Whitepaper Outsourcing Assurance
(isae3402.co.uk) Auditing Auditing standards Standards International standards