ISAE 3402 implementation

ISAE 3402 reports are used by audit firms to increase the effectiveness of financial audits. Processes executed by a service organization for a user organization might have an impact on operational processes which affect the financial statements of the user organization. Each service organization could engage own audit firms to perform audits, implicating that service organizations will be visited by numerous auditors. ISAE 3402 reports limits these audits to the service audit only.

ISAE 3402 is generally applicable if an independent auditor (“user auditor”) is planning the financial statement audit of an user organization that obtains services from other organizations (“service organization”). The report will be audited by a ISAE 3402 auditor (specialized service auditor. The service auditor reports to the independent auditor in accordance to ISAE 3402 on the operating effectives of procedures and controls, relevant for annual reporting.

Applications are increasingly offered as cloud services. Consequently the demand for ISAE 3402 and the control of processes has increased significantly. Aspects such as data protection, fraud prevention, and protection of personal information have the special interest of both user organizations and supervisory bodies. Until 2008, ISAE 3402 reports were mainly used in the asset management and pension administration industry. Demand for ISAE3402 has grown in the entire financial market, from real estate management to hosting providers and credit management institutions. The European Governance Institution has initiated partnerships with associations in industries to maintain the quality of ISAE 3402 reports.

ISAE 3402 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the IAASB’s standards for fieldwork, quality control, and reporting (ISAE 3000). There are no detailed prescriptive guidelines for an ISAE 3402 report . In the ISAE 3402 standard the testing procedures are prescribed, and the scope of the report should include all processes that affect the financial statements. In daily practice, best practices have been developed by service organizations and the big four audit firms. An ISAE3402 report usually consist of a “general part,” which includes a description of the organization, the risk management framework, and an overview of the entire internal control framework. A control matrix is included in the report. In this matrix, a detailed description of management objectives, controls, and the test results of the external auditor are presented. More information about the contents of an ISAE3402 report and the consequences for an organization can be found here ( ISAE 3402 implementation). A service auditor may issue two types of reports: an ISAE 3402 Type I report or an ISAE 3402 Type II report .

An ISAE 3402 Type I report includes an opinion of an external auditor on the controls in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place.

The examination performed by the external auditor for an ISAE 3402 Type II report differs from an ISAE 3402 Type I report examination. In a Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls during a predefined period. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with predefined processes and controls.