ISAE 3402 provides assurance on outsourcing. The standard is originated due to growing demand for control over outsourced activities. Supervisory authorities increasingly demand for a solid risk management framework. These authorities require banks, pension funds and insurers to provide information on all processes outsourced to service organisations. From 2004 the SAS70 standard was applied for this purpose. The SAS70 standard is replaced by ISAE 3402 in 2011, internationally.
A user organization outsources processes to a service organization. User organization require insight in the outsourced processes. A service organization can provide this information by a Service Organization Control rapport (SOC-report). An ISAE 3402 is a such a SOC-report.
The report is often divided in two parts; a general part in which the internal control framework is described and a part in which a control matrix is included. A control matrix consists of the control objectives, the related controls and the outcomes of test procedures on the controls. An external accountant will perform the test procedures in accordance with the ISAE 3402 standard.
What are the requirements of the report?
The requirements are included in the standard, which you can download via the IFAC. The standard consists of the following components:
The review framework for the verification are is the financial statements of the user organisation. All the processes that will have effect on the financial statement are required to include. Generally, these consist of all the operational procedures, financial processes and the General IT Controls. An important difference with, for example the ISO-norms, is that ISAE 3402 uses the financial statement as review framework. Another important aspect is that the relation of the risks of an organization and the relevant controls will become transparent.
Type I and type II
There are two types of ISAE 3402 reports; a type I and a type II report. A type I report gives an overview of the organization at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are reached and whether the controls are present. In a type II report, the external auditor reports on the suitability of the design and the existence of controls and reports also on the operating effectiveness of these controls in a predetermined period (minimum of 6 months). Since ISAE 3402 has such a huge impact on organizations, organization generally start with a type I report and implement type II in a subsequent period.
You can prepare the report yourself. Based on the standards you would be able to ascertain the requirements. However, the professional description of processes and its controls takes a great deal of effort of your organization. Our experience learned us that a cooperation with SASconsult as advisor leads to more professional results and lower costs. Moreover, it would be wise to have an external party giving advice to your organization about security and internal control. Besides, we often recognize possibilities for establishing more efficient and effective processes during the ISAE 3402 implementations.
Our methodology is aimed at on effectiveness and cost control. During the impact analysis we will identify GPA's based on the most important risks. After describing control objectives, the control framework, and the implementation of missing objects, we will perform a pre-audit or readiness assessment. This a sort of general repetition, after which we advice on process improvements. We also will manage the audit procedures to assure an efficient process and, so deadlines are reached accordingly.
More and more organizations outsource their processes. Partly due to recent technological developments. From the year 2004, the ‘pensioenwet’ and ‘Wet Financieel Toezicht (Wft) require institutions to control their outsourced processes, which means having full insight in what is happening. For example, how is the internal control set up within the service organization? Are enough regulations in place to prevent fraud or trade with pre-knowledge from happening? How are the processes set up concerning information control?
Over the last 10 years, organizations and supervisors experienced a growing awareness of the need to control the entire business chain, including the supplier of an application and for example, the datacenter in which all the information is stored. ISAE 3402 is known as the only standard accepted by accountants carrying out their controls. A standard one can compare with SSAE16, required by Sarbanes Oxley.Read more about the relation between ISAE 3402 and ISO 27001 in ‘difference with ISO 27001’.
No review framework has been developed for ISO 27001, whereby certainty can be procured in the security of an organization. ISO 27001 only knows prescriptions and guidelines for information security. This could mean that in theory, one can comply with ISO 27001 since an information security policy is in place and back-up recovery is set up; while at the same time not having information security in order. So, the central question would be; when is it ISMS qualitative good enough? ISO 27001 does not give an explicit answer to this question.
Once an organization has its ISAE 3402 assurance report, the financial statement of the user organization becomes the final norm framework (by which certainty can be sourced from the report). An accountant does not have concrete guidelines for verifying, instead a norm framework.ISAE 3402 highlights the controls of the user organization affecting the annual report. Therefore, ISAE 3402 knows detailed control objects like correctness, timeliness and completeness. ISAE 3402 only knows a conceptual norm framework; the annual report of the user. Several norms are being handled in practice, most of the time consisting of internal norms set by the accountancy office.
A service organization might even outsource the processes to another organization. For example, an asset manager might outsource its property management or an Application Service provider might outsource its processes to a datacenter (back-ups/physical security regulations). If so, we talk of a subservice organization.A service organization can choose between two options. Or the control objects of the subservice organization will be an integral element in the ISAE 3402 report of the service organization. Or one uses a carve-out, which means referring to the report of the subservice organization in the report of the service organization.
Relevant regulations concerning information security must be an element in the ISAE 3402 report. Meaning that General IT Controls, like back-up/recovery, and the application controls need to be described in the ISAE 3402 report.
Complicated or complex? We don't think so. Our experience learns us that many organizations already have a well-organized internal control. Please read the business cases on our website, in which we describe our clients and explain why our approach is so effective. Emile ten Hoor (+31 (0)6 - 26 736 001) from our office, would be pleased to explain you the benefits of the ISAE 3402 certificate for your organization.