ISAE 3402 & ISAE 3000
The importance of ISAE 3402 and ISAE 3000 for outsourcing
'Service Organization Control reports' such as ISAE 3402 en ISAE 3000 create added value for suppliers of outsourcing services (service organisations) as well as for their customers:
- Service Organization Control reports create confidence with (potential) customers of service organisations and are, as a result, a powerful marketing tool for service organisations;
- Service Organization Control reports support the governance, risk management & compliance activities of customers of service organisations and are therefore an added value to them.
That's why many service organisations issue Service Organization Control reports. Such as cloud computing and IT service organisations, asset managers, financial services bureaus, logistics service organisations and payroll processors. The best-known types of Service Organization Control reports are ISAE 3402 and ISAE 3000.
What are ISAE 3402 and ISAE 3000?
ISAE 3402 & ISAE 3000 are standards of the International Federation of Accountants (IFAC). These standards can be used to provide assurance on outsourcing, more specifically:
-
ISAE 3000
International Standard on Assurance Engagements 3000 - Assurance engagements other than audits or reviews of historical financial information. -
ISAE 3402
International Standard on Assurance Engagements 3402 - Assurance reports on controls at a service organization.
ISAE 3402 (previously SAS 70) is meant to report on internal controls that are relevant to a customer's financial reporting. In the case that the outsourced services do not relate to financial reporting, the ISAE 3000 standard should be used. For example to provide assurance on availability, security and privacy.
What are Service Organization Control (SOC) reports?
The American Institute of Certified Public Accountants (AICPA) uses the term Service Organization Control (SOC) reports. The ISAE 3402 report type is referred to as SOC1. The ISAE 3000 report type that deals with security, availability, processing integrity, confidentiality or privacy is referred to as SOC2. The Americans also offer the option of a seal on the Website of the service organisation that is called SOC3. Many cloud-computing vendors provide assurance to their customers based on SOC2 or SOC3.
ISAE 3402 & ISAE 3000 services of ITegrity
Service Organization Control reports require a thorough knowledge and experience. Such specialism is scarce, even within the community of auditors. ITegrity offers this specialism with the following services:
-
Project management
The full coordination and project management for the realization of a Service Organization Control report, including coaching of the internal organisation and relationship management of the external auditor. -
Readiness / Risk consulting
ITegrity assists your organisation, so you can look forward to the audit with confidence. We support with the choice of the appropriate report type, the scope, risk analysis and gap analysis. But also with advise on implementing the right internal controls and with drafting all required descriptions of your operation. -
Auditing
ITegrity acts as external service auditor who issues the ISAE 3402 / ISAE 3000 report.
The advantages of ITegrity
-
Expertise
ITegrity is specialised in Service Organization Control reports and can effectively assist your organisation with establishing your own Service Organization Control report. -
Involved
Your organisation is supported by experienced and highly motivated professionals. -
Value-for-money
As a result of limited overhead, ITegrity can work with attractive rates. And even more important: as a result of our expertise and involvement, we work very efficiently. A cost saving for you.
Read more on our expertise on Outsourcing Assurance.
Want to know more about the services of ITegrity? Please feel free to contact us.
21 Mrt: Conference
ITegrity in Aruba and Curaçao to present on security and privacy assurance.
Read more
15 Okt: New website
ITegrity launches its new website with information about its services and expertise.
Read more
