Required components ISAE 3402
Every ISAE 3402 report has required components:
I. A description of the control framework.The description fairly presents the service organization’s system as designed and implemented as at the specified date
II. A written assertion by management of the service organization that, in all material respects, and based on suitable criteria.The controls related to the control objectives stated in the service organization’s description of its system were suitably designed
Service auditor report
The service auditor conveys reasonable assurance about the matters under I and II and includes a descriptions of the tests of controls. A service auditor can issue a ISAE3402 type I and an ISAE3402 type II report. The most important difference is that an ISAE3402 type I report refers to a specific moment and only provides assurance on the design and existence of controls described. An ISAE3402 type II report also provides assurance on the operating effectiveness of controls.