ISAE 3402

Last updated April 15, 2024

International Standard on Assurance Engagements (ISAE) 3402, titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls.^[1] ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB) and published by the International Federation of Accountants (IFAC) in 2009. It supersedes SAS 70. and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.^[2]

Scope, Types and SOC classification

The scope of an ISAE 3402 engagement is control set of the service organization, or to be more precise the service organizations controls over services, functions performed and applications that are likely to be relevant for the customer and its auditor to evaluate the internal control over financial reporting. It is also known as "Internal Control Framework over Financial Reporting" (ICFR)^{[ citation needed ]}. When performing an ISAE 3402 the auditor has to take the position of the customer, selecting and testing controls that are relevant for the customer.

The ISAE 3000 standard is a more general standard for assurance engagements both for financial and non-financial purposes. Assurance engagements according to ISAE 3402 require compliance of the auditor with ISAE 3000.

ISAE 3402 defines two kinds of reports:

Type I: Documenting a "snapshot" of the organization's controls
Type II: Documenting over a period of time (typically 12 months) showing controls have been managed over time.^[4]

ISAE 3402 is a SOC 1 engagement. SOC is an acronym coined by the American Institute of Certified Public Accountants (AICPA) for service organizations controls, and was re-coined in 2017 as system and organizational controls. AICPA has defined three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 is an abbreviation for SOC for Service Organizations: ICFR. SOC 2 is an abbreviation for SOC for Service Organizations: Trust Services Criteria. SOC 3 is an abbreviation for SOC for Service Organizations: Trust Services Criteria for General Use Report.^[3]

SOC 2 engagements are performed on the basis of the more general ISAE 3000, whereas SOC 1 engagements are performed on the basis of ISAE 3402 (see above).

Definitions

In order to be able to read and understand an ISAE 3402 report, some core terms are essential:

Criteria: In the context of ISAE 3402, these are comparative standards with which a situation can be assessed. Examples of legal and regulatory criteria are OECD principles, GDPR, MaRisk or GoBD.
Carve-out method: Refers to a method according to which the internal control system of a sub-service provider is not included in the scope of the audit of the service provider. For the service provider's customer, an ISAE 3402 report with a CARVE-OUT is unfavorable because relevant controls may not have been audited. Example: an IT service provider offers its software to the customer as SaaS, but the controls of the data center where the software is operated are not audited.
Inclusive method: Refers to a method whereby a sub-service provider's internal control system is included in the scope (extent) of the service provider's audit. An ISAE 3402 report using the inclusive method is beneficial to a service provider's client.
Complementary User Entity Controls: The service provider's audit of its ICS assumes that the customer itself performs certain controls and assumes responsibility for them. If the customer was not informed about the Complementary User Entity Controls in advance and did not perform them, the controls implemented at the service provider are not effective (efficient). Example: the service provider operates a data center and expects the customer to promptly inform the service provider about changes in the employees authorized to access the data center. The service provider only grants access to persons who are included on the access list. This control is audited and is effective. However, if the underlying access list is not current, the entire access control is not effective.
System: A system (service organization's system) is defined as the policies and procedures, and applications, required to provide a customer-related service.

Related Research Articles

<span class="mw-page-title-main">Accounting</span> Measurement, processing and communication of financial information about economic entities

Accounting, also known as accountancy, is the process of recording and processing information about economic entities, such as businesses and corporations. Accounting measures the results of an organization's economic activities and conveys this information to a variety of stakeholders, including investors, creditors, management, and regulators. Practitioners of accounting are known as accountants. The terms "accounting" and "financial reporting" are often used interchangeably.

<span class="mw-page-title-main">Assurance services</span> Profession giving information to reduce risk

Assurance service is an independent professional service, typically provided by Chartered or Certified Public Accountants or Chartered Certified Accountants, with the goal of improving information or the context of information so that decision makers can make more informed, and presumably better, decisions. Assurance services provide independent and professional opinions that reduce information risk.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

<span class="mw-page-title-main">Generally Accepted Auditing Standards</span> Standards which judge audits

Generally Accepted Auditing Standards, or GAAS are sets of standards against which the quality of audits are performed and may be judged. Several organizations have developed such sets of principles, which vary by territory. In the United States, the standards are promulgated by the Auditing Standards Board, a division of the American Institute of Certified Public Accountants (AICPA).

In the United States, Statements on Auditing Standards provide guidance to external auditors on generally accepted auditing standards in regards to auditing a non-public company and issuing a report. They are promulgated by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), which holds all copyright on the Standards. They are commonly abbreviated as "SAS" followed by their respective number and title.

<span class="mw-page-title-main">International Standards on Auditing</span>

International Standards on Auditing (ISA) are professional standards for the auditing of financial information. These standards are issued by the International Auditing and Assurance Standards Board (IAASB). According to Olung M, ISA guides the auditor to add value to the assignment hence building confidence of investors.

<span class="mw-page-title-main">Materiality (auditing)</span> Concept in auditing and accounting

Materiality is a concept or convention within auditing and accounting relating to the importance/significance of an amount, transaction, or discrepancy. The objective of an audit of financial statements is to enable the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in conformity with an identified financial reporting framework, such as the Generally Accepted Accounting Principles (GAAP) which is the accounting standard adopted by the U.S. Securities and Exchange Commission (SEC).

<span class="mw-page-title-main">SOX 404 top–down risk assessment</span>

In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.

The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high-level independent corporate executive with overall responsibility for internal audit.

Emphasis of matter is a type of paragraph in an auditors' report on financial statements. Such a paragraph is added to indicate a matter which is disclosed appropriately in the notes forming part of the financial statements that the auditor considers is fundamental to the users' understanding of the financial statements.

The International Federation of Accountants (IFAC) is the global organization for the accountancy profession. Founded in 1977, IFAC has 180 members and associates in 135 jurisdictions, representing more than 3 million accountants in public practice, education, government service, industry, and commerce. The organization supports the development, adoption, and implementation of international standards for accounting education, ethics, and the public sector as well as audit and assurance. It supports four independent standard-setting boards, which establish international standards on ethics, auditing and assurance, accounting education, and public sector accounting. It also issues guidance to professional accountants in small and medium business accounting practices.

The International Ethics Standards Board for Accountants (IESBA) develops and promotes the International Code of Ethics for Professional Accountants. The IESBA also supports debate on issues related to accounting ethics and auditor independence.

The Forum of Firms is an association of international networks of accounting firms that perform transnational audits.

Delaware Depository is a privately held precious metals custody and distribution center founded in 1999. Located in Wilmington, Delaware, Delaware Depository provides precious metals bullion custody, safekeeping, and distribution services for IRA custodians, financial institutions, broker-dealers, refiners, and individual investors. Customers have the option of storing bullion in either Wilmington, DE, Orange County, CA, or internationally, in Canada or Switzerland.

ISAE 3000 is the standard for assurance over non-historical financial information. ISAE 3000 is issued by the International Auditing and Assurance Standards Board (IAASB). The standard consists of guidelines for the ethical behavior, quality management and performance of an ISAE 3000 engagement.

Statement on Standards for Attestation Engagements no. 16 is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 and has been superseded by SSAE No. 18.

Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.

System and Organization Controls as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria. The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017. These control criteria are to be used by the practitioner/examiner in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled in conformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework. In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18, section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.

References

↑ "ISAE 3402 Overview". isae3402.com. Retrieved 2021-11-17.
↑ "Assurance Reports on Controls at a Service Organization—Issues and IAASB Task Force Proposals" (PDF). IAASB Main Agenda. IFAC. September 2009. Retrieved 2021-11-17.
1 2 "Checklists". isae3402-audit.de. 2021-10-20. Retrieved 2021-11-17.
↑ "Service organization control (SOC) reports". isae3402.com. Retrieved 2021-11-17.

External links

ISAE 3402 Assurance Reports on Controls at a Service Organization (IFAC)
ISAE 3402 Implementation Whitepaper Outsourcing Assurance (isae3402.co.uk)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "ISAE 3402 Overview". isae3402.com. Retrieved 2021-11-17.

[2] "Assurance Reports on Controls at a Service Organization—Issues and IAASB Task Force Proposals" (PDF). IAASB Main Agenda. IFAC. September 2009. Retrieved 2021-11-17.

[checklists-3] 1 2 "Checklists". isae3402-audit.de. 2021-10-20. Retrieved 2021-11-17.

[4] "Service organization control (SOC) reports". isae3402.com. Retrieved 2021-11-17.

[1]

[2]

[3]

[4]