top of page
isae-3402-audit_edited.jpg

ISAE 3402 Audit

ISAE 3402, or International Standard on Assurance Engagements 3402, is a globally recognized auditing standard. It provides assurance about the controls at a service organization. This standard aims to build trust between service organizations and their clients.

The ISAE 3402 standard is an assurance standard describing engagements concerning controls at service organizations (SOC). It provides clients with assurance that the service organization has appropriate internal control mechanisms. ISAE 3402 was developed by the IAASB and published by IFAC in 2009, replacing the SAS 70 standard and emphasizing control monitoring and evaluation.

​

However, it's worth noting that organizations in the USA strongly prefer conducting audits in compliance with AICPA SSAE 18 standards. Moreover, American Certified Public Accountants (US CPAs) must always apply SSAE 18 standards during an audit, even if they are carrying out a project based on the ISAE 3402 standard.

 

ISAE 3402 audits serve multiple purposes:

​

  • Evaluate internal controls,

  • Enhance transparency,

  • Mitigate risk,

  • Boost client confidence.

 

Service organizations undergo these audits voluntarily. They demonstrate their commitment to maintaining robust control environments. This proactive approach often gives them a competitive edge in the market.

 

The audit process involves rigorous examination of control objectives and activities. Auditors assess the design and operational effectiveness of controls. They typically focus on areas such as:

​

  • Information technology,

  • Data security,

  • Financial reporting,

  • Operational processes.

 

ISAE 3402 reports come in two types: Type I and Type II. Type I evaluates control design at a specific point in time. Type II, more comprehensive, assesses control effectiveness over a period, usually 6-12 months.

 

These audits benefit both service providers and their clients. Providers gain credibility and streamline client audits. Clients receive valuable insights into their service providers' control environments, aiding risk management efforts.

isae-3402-audit-photo.jpg

Types of ISAE 3402 reports

ISAE 3402 audits yield two distinct report types, each serving unique purposes in assessing service organizations' controls:

Type I report

A Type I report provides a snapshot assessment of a service organization's control environment at a specific point in time. It focuses on:

 

  • Description of the service organization's system

  • Design suitability of controls

  • Implementation status of controls

​

This report type is ideal for organizations seeking initial validation or those undergoing significant changes in their control environment.

Type II report

Type II reports offer a more comprehensive evaluation, examining the operational effectiveness of controls over a defined period, typically 6-12 months. They include:

 

  • All elements of a Type I report

  • Detailed testing of control effectiveness

  • Results of control testing

​

Type II reports provide greater assurance to stakeholders, demonstrating consistent control performance over time.

The choice between Type I and Type II depends on factors such as organizational maturity, client requirements, and regulatory obligations. Many organizations start with a Type I report before progressing to the more rigorous Type II assessment.

Stay in touch

office@itgrcadvisory.com

ITGRC ADVISORY LTD. 

590 Kingston Road, London, 

United Kingdom, SW20 8DN

​company  number: 12435469

​

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page