For a ISAE3402 certification a Service Organization Control report is required. This report should be audited by an external auditor. The auditor issues an assurance report with the SOC. This report should be prepared in accordance with the ISAE3402 guidelines. Alle controls are required to be included and should be auditable. Generally this requires more registration of controls.
As a consequence of the increased outsourcing. Many organizations focus on core activities and outsource non-core processes. As a consequence of decreased trust among parties the demand for control over outsourcing increases.
An ISAE3402-report will be audited by an external auditor. The reporting should be prepared in accordance with audit regulations. If the responsible co-workers have an audit background this will improve the process of preparation. Specialized organizations can assist you with preparation of the report and manage the audit proces.
If processes are insourced by your enterprise and these process will have a material impact on the annual report of the service organization, an ISAE3402 report will be appropriate. Other organizations under supervision of for example the FSA should be able to demonstrate that outsourced processes are under control.
ISAE3402 is the international standard for control over outsourcing. In (international) tenders an ISAE3402 certification will probably be required in outsourcing situations. Another advantage is that your internal processes will alligned and better formalized.
Yes, it is required that informationsystems are included in the ISAE3402-report. (ref. ISAE3402.16).
This is an example of the European practice. In principal ISAE3402 requires that sample sizes are in line with the reduction of risk to a reasonable level. In the PCAOB-guidelines a sample size of 25 is required for daily controls. These guidelines are not included in the ISAE3402-standard.
A subservice organization is an organization that insources processes of a service organization. If for instance an asset manager outsources the hosting of their servers, this might be considered a subservice situation. The service organization kan opt for a 'carve-out' and refer to the ISAE3402-report of the sub-service organization.
This is a semantic discussion. Strictly a ISAE3402 report is no certification. It is a Service organization control report with an assurance report in accordance with ISAE3402. Generally speaking is referred to an ISAE3402-certification.