Does your organization outsource services or, on the contrary, is your organization hired by other parties to perform services for them? Then you know how hard it is to control outsourced services, or to show that you are in control of the services you perform for others. After all, it is not always possible to check or show that the outsourced service is in control.
Often, organizations sign a Service Level Agreement (SLA) or other contractual agreement. In this agreement they state the requirements for the service and the organization which performs the service. However, it mostly remains unclear whether these requirements are actually met.
That is where ISAE 3402 comes in. An ISAE 3402 report provides insight into the quality, continuity, safety and integrity of the organization which performs the service. Therefore, the report gives assurance to the organization which outsources the service.
ISAE means ‘International Standard for Assurance Engagements’. It is not a standard and you cannot become certified with it. It is, however, an objective report signed by a specialized accountant. If the accountant signs the report, it means that the organization which performs the service is in control and complies with the stated quality requirements.
ISAE 3402 report
There are two different types of ISAE reports, type I and type II. With a type I report the accountant checks the design of the controls. These controls are activities aimed at managing risks of the critical processes. The report clarifies whether it is expected that the service is performed in accordance with the agreed requirements. This way, the organization that outsources the service gets more insight into the policies, processes and controls of the organization they hired to perform the service.
An ISAE 3402 type II audit checks the actual functioning of the controls over a period of six months. In other words, the accountant assesses the implementation of the controls. With a type II audit, the organization that outsources the service remains assured that the requirements are met.
In short, the accountant audits whether or not the service is in control. This audit concerns the design of the controls (type I) or the actual implementation of the controls over a six-month period (type II). Based on the audit results the auditor signs the report which states the level of control of the quality, continuity, safety and security of the service.
Advantages ISAE 3402
Regarding outsourced services an ISAE 3402 report provides several unique advantages:
Insight and assurance for the organization which outsources the service
Organizations which perform the service show that they meet expectations and manage risks
Proactive risk management by implementing controls
Securing business continuity and information security in the business operations
An ISAE 3402 report via Protify
As consultants we often see complex processes and outsourced services at our clients. That is why we work together with specialized accountants who can provide ISAE 3402 reports.
We make sure that you are ready to receive an ISAE 3402 report. Together we think of the best approach or we check everything for you. But, naturally, we also assist with creating the ISAE 3402 framework. We carry out a risk analysis, adjust the documentation and create the required controls. Your organization is then responsible for implementing the controls and complying with them.
With a type I report the accountant carries out an audit to check the design of the controls. With a type II audit you need to gather evidence over a period of six months that the controls are effectively implemented.
We decide at the start of the project which type of report is fitting, a type I or a type II report. Often this depends on what the client who requires the ISAE 3402 report wants.
Would you like to know more about what we can do for you? Please feel free to contact us via the contact form, so we can discuss the possibilities together.
Why choose Protify?
Years of experience with certification
Implementation of ISAE 3402 within the existing business operations
No complicated books, but clear and to-the-point policies
Personal involvement of our consultants
Excellent collaboration with trusted accountants