ISAE 3402


ISAE 3402, titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls.
ISAE 3402 was developed by the International Auditing and Assurance Standards Board and published by the International Federation of Accountants in 2009. It supersedes SAS 70 and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.
An ISAE 3402 attestation including an audit report is regarded as a quality criterion for service providers that distinguishes them from competitors.

Scope, Types and SOC classification

The scope of an ISAE 3402 engagement is control set of the service organization, or to be more precise the service organizations controls over services, functions performed and applications that are likely to be relevant for the customer and its auditor to evaluate the internal control over financial reporting. It is also known as "Internal Control Framework over Financial Reporting". When performing an ISAE 3402 the auditor has to take the position of the customer, selecting and testing controls that are relevant for the customer.
The ISAE 3000 standard is a more general standard for assurance engagements both for financial and non-financial purposes. Assurance engagements under ISAE 3402 require the auditor to comply with ISAE 3000.
ISAE 3402 defines two kinds of reports:Type I: Documenting a "snapshot" of the organization's controlsType II: Documenting over a period of time showing controls have been managed over time.
ISAE 3402 is a SOC 1 engagement. SOC is an acronym coined by the American Institute of Certified Public Accountants for service organization controls, and was re-coined in 2017 as system and organizational controls. AICPA has defined three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 is an abbreviation for SOC for Service Organizations: ICFR. SOC 2 is an abbreviation for SOC for Service Organizations: Trust Services Criteria. SOC 3 is an abbreviation for SOC for Service Organizations: Trust Services Criteria for General Use Report.
SOC 2 engagements are performed based on the more general ISAE 3000, whereas SOC 1 engagements are performed based on ISAE 3402. Like SOC 1, a SOC 2 audit can be issued as a Type I report, which evaluates the design of controls at a specific point in time, or a Type II report, which assesses their operating effectiveness over a period of 3 to 12 months. While a Type I audit focuses on documentation and design, a Type II audit requires sustained evidence of the operation of continuous controls, such as monitoring logs and incident reports.

Definitions

In order to be able to read and understand an ISAE 3402 report, some core terms are essential:Criteria: In the context of ISAE 3402, these are comparative standards with which a situation can be assessed. Examples of legal and regulatory criteria are OECD principles, GDPR, MaRisk or GoBD.Carve-out method: Refers to a method according to which the internal control system of a sub-service provider is not included in the scope of the audit of the service provider. For the service provider's customer, an ISAE 3402 report with a CARVE-OUT is unfavorable because relevant controls may not have been audited. Example: an IT service provider offers its software to the customer as SaaS, but the controls of the data center where the software is operated are not audited.Inclusive method: Refers to a method whereby a sub-service provider's internal control system is included in the scope of the service provider's audit. An ISAE 3402 report using the inclusive method is beneficial to a service provider's client.Complementary User Entity Controls: The service provider's audit of its ICS assumes that the customer itself performs certain controls and assumes responsibility for them. If the customer was not informed about the Complementary User Entity Controls in advance and did not perform them, the controls implemented at the service provider are not effective. Example: the service provider operates a data center and expects the customer to promptly inform the service provider about changes in the employees authorized to access the data center. The service provider only grants access to persons who are included on the access list. This control is audited and is effective. However, if the underlying access list is not current, the entire access control is not effective.System: A system is defined as the policies and procedures, and applications, required to provide a customer-related service.