ISAE 3402 – what you need to know

Have you heard of the ISAE 3402 standard? It is a standard that was developed to provide information and assessment of controls within service organizations. ISAE 3402 if often used by service organizations to communicate to their clients that the service delivered is of good quality, which is guaranteed by an external auditor.

What is ISAE 3402?
ISAE (International Standards for Assurance Engagements) 3402, Assurance Reports on Controls at a Service Organization, is an assurance standard that became effective on June 15 2011.  ISAE 3402 is both an extension and an expansion of SAS 70 (Statement on Auditing Standards no. 70), which was first published in 1988 by the American Institute of Certified Public Accountants.

There are two types of ISAE 3402 reports: Type I and Type II. The Type I report provides a description of the service organization’s systems and controls, which is supported by a management assertion and an auditor’s description of the correctness of the description as well as whether the controls have been put into operation. The Type I report also includes an assertion and an auditor’s opinion on whether the controls are designed in  such a way that control objectives can be achieved. The Type II report includes the same as the Type I report, but in addition it includes a management assertion and an auditor’s opinion on the operation effectiveness of controls, e.g. whether the controls have been running for the entire period that the report relates to.

Primary Responsibilities of the service organization
A service organization has five primary responsibilities under the ISAE 3402 standard:

  1. Present a complete and accurate description of the internal control framework.
  2. Specify the control objectives.
  3. Identify the risks that threaten achievement of the control objectives.
  4. Design, implement and maintain controls to provide reasonable assurance that control objectives will be achieved.
  5. Provide a written assertion that accompanies the description on completeness and accuracy of the information provided.


Advantages of complying with ISAE 3402
By complying with the ISAE 3402 standard, it is possible for a software hosting provider (or ASP) to assure their clients that their data and system operation is in good hands. This can be a competitive advantage to service providers who do not offer a 3402 report.

Recommended Posts