ISAE 3402 Provides Assurance To Customers

Frequently Asked Questions

ISAE 3402 – Questions and Answers

An ISAE 3402 report is an independent assurance statement on a service provider's internal controls. An external auditor — the Service Auditor — assesses whether these controls are suitably designed (Type I) and, for a Type II report, whether they have operated effectively over a period of at least six months. This gives clients and their own auditors confidence in the reliability of outsourced processes.

The process begins with a description of the organisation and its relevant processes. A control matrix is then drawn up, setting out which risks could affect the client's financial statements and which controls mitigate them. These controls are subsequently tested by the Service Auditor — for their design (Type I) and, for a Type II report, for their operating effectiveness over a period of at least six months.

A Type I report assesses the design of the controls at a specific point in time: do the controls genuinely exist, not just on paper but in practice? A Type II report goes a step further, examining whether these controls have actually operated as described over a period of at least six months.

Primarily service providers whose processes are relevant to their clients' financial reporting — for example data centres, trust companies, or outsourcing partners serving banks, insurers, or pension funds. Within the financial sector, organisations need to be able to demonstrate that they are reliable and have their security firmly under control; confirmation from an external auditor gives these institutions the assurance they require.

Preparation usually takes several months. The underlying processes are often already in place, but a proper description may be missing, or the organisation may lack the discipline or specific measures required. Once implemented, a Type II report requires an observation period of at least six months. Overall, organisations should generally allow around eight to twelve months to reach the final Type II report, with Type I taking a few months less.

AAF 01/20 is the UK-specific technical standard issued by the Institute of Chartered Accountants in England and Wales (ICAEW), most commonly used by pension administrators, investment managers, and other financial services outsourcing providers in the UK. It shares much of the same structure and control-objective approach as ISAE 3402, and many UK service organisations now produce a single combined report covering both standards, giving clients assurance under a UK-recognised framework as well as an internationally recognised one.

ISAE 3402 is the international standard, while SOC 1 is its US counterpart, issued under AICPA guidelines. The two are closely aligned in content, and many reports today are prepared on a combined basis.

ISO 27001 certifies the information security management system as a whole, whereas ISAE 3402 provides an assurance statement on specific controls, addressed to a client or financial institution. The key practical difference lies in the depth of testing: under ISAE 3402, a remediation plan is often not sufficient if a control fails to exist or has not operated effectively within the six-month period. This results in an exception being noted in the report and may also affect the assurance opinion itself, which could then include a qualification or, in the most serious cases, an adverse opinion.

Why Choose ISAE 3402

ISAE 3402 provides a trusted framework for assessing the effectiveness of internal controls, enhancing transparency and building stakeholder confidence. By adopting this standard, organisations streamline their audit processes and demonstrate a commitment to high governance standards.

ISAE 3402  Certification and Reporting

The ISAE 3402 audit evaluates the design and effectiveness of internal controls impacting financial statements, with the external auditor assessing control design (Type I) and operational effectiveness over time (Type II). The report typically includes are least a control matrix showing the risk management framework, control objectives, control measures, and audit results.

ISAE 3402 Type I

An ISAE 3402 Type I report includes an opinion of an external auditor on the controls in operation at a specific moment in time. 
The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place.

ISAE 3402 Type II

In a Type II report, the external auditor reports on the suitability 
of the design and existence of controls and on the operating effectiveness of these controls during a predefined period. This implies that the external auditor performs a detailed examination of the internal controls of the service organisation and also examines whether all controls are operating effectively in accordance with predefined processes and controls for and procedures.

How to Obtain ISAE 3402Certification

01
Understanding Requirements
Familiarise yourself with ISAE 3402 requirements and determine its significance for your organisation and clients.
02
Audit Preparation
Select an independent auditor and define the scope of the audit, including key processes and controls.
03
Documentation and Analysis
Document existing controls and create a control matrix, then conduct a gap analysis to identify deficiencies.
04
Internal Checks
Perform internal tests of controls and update documentation based on testing results.
05
Conduct External Audit
Prepare necessary documentation for the external auditor and provide access to processes and materials.
06
Analyse Results and Improve
Receive the auditor's report, analyse the findings, and implement recommendations for continuous improvement of processes and controls.

Why You Should Register an ISAE 3402 Report?

The register is consulted continuously by organisations in every industry. By registering your report, you demonstrate that you meet the requirements on ISAE 3402 and are a reliable service provider.

ISAE 3402 reports are similar to a SOC 1 report (US standard).Considering that SOC 1 reports have the same scoping and value as ISAE 3402 report, SOC 1 reports are also registered.

Access More Information

Learn more about the impact and requirements of ISAE 3402.