Category: Advisory

ISAE 3402 for assurance on outsourcing

ISAE 3402; assurance on outsourcing

The ISAE 3402 standard is an internationally recognized audit standard issued by the International Auditing and Assurance Standards Board (IAASB). The examination by the auditor of a service organization is widely accepted as it represents a thorough review of the internal control objectives and activities of a service organization. The audit framework and associated control measures are detailed in the System and Organization Report (SOC). The scope of an ISAE 3402/SOC report consists of controls over information technology and operational processes affecting the finances of an organization.

SOC 1 OR SOC 2

SOC reports can be distinguished into SOC 1 and SOC 2 reports. An ISAE 3402/SOC 1 focuses on financial statements and all processes affecting them. An ISAE 3000 (or SOC 2) report is aimed at meeting a broader range of user needs, including concerns about privacy, confidentiality, and system availability. SOC 2 reports are modular based on the Trust Services Principles and Criteria.

Type I and Type II

An ISAE 3402 Type I report contains an opinion from an external accountant on the control measures in place at a specific point in time. The external accountant examines whether internal control measures are adequately designed to provide a reasonable level of assurance that the assertions in the financial statements are achieved and whether internal control measures exist. In an ISAE 3402 Type II report, the external accountant also reports on the operation of these control measures over a predetermined period. ISAE 3402 reports typically cover the design and operation of controls for a 12-month period with continuous coverage from year to year. A report may cover a minimum period of six months.

Aligning external requirements with internal risk excellence

In outsourcing situations, many questions may arise: Are services performed in a controlled manner? How is security handled? Who has access to our information? Are there adequate fraud prevention measures in place? ISAE 3402 provides a solution to these problems.

ISAE 3402 supports organizations in measuring and evaluating risks and aligning the resulting control framework with strategic objectives and these risks. A one-time investment in the framework pays off by enhancing market confidence and organizational excellence.

What’s a better fit? An SOC 1 or an SOC 2?

What’s a better fit?

An
SOC 1 or an SOC 2?

The general term for third-party risk reporting by service organizations to user organizations is Systems and Organization Control Report or SOC report. This term originates from the American Institute of Certified Public Accountants (AICPA) as a replacement for the SAS70 framework.

These were previously called Service Organization Control reports. SOC is a series of reports originating in the US. ISAE 3402 aligns with the American Statement on Standards for Attestation Engagements (SSAE) 18 American standard. An ISAE 3402 report provides assurance on the description of a service organization’s system and the suitability of the design and operation of its internal control measures through a Service Auditor’s Report.

ISAE 3402 | SOC 1

In an ISAE 3402 | SOC 1 report, organizations define their own control objectives and controls and align them with customer needs. The scope of an ISAE 3402 typically includes all operational and financial controls affecting financial statements and general IT controls (e.g., security management, physical and logical security, change management, incident management, and system monitoring). In other words, if an organization hosts financial information that may affect your customer’s financial reporting, then an ISAE 3402 | SOC 1 audit report is the most logical for an organization to pursue and is likely to be requested. The ITGCs, operational controls, and financial controls are audited under the ISAE 3402 | SOC 1 framework.

In an SOC 1 audit, controls, used to accurately represent internal control over financial reporting (ICOFR), must be included if the organization is subject to SEC filings in the US.

Since the most important suppliers to financial institutions where IT service providers and, at a later stage, Cloud Service providers and data center/hosting providers have gained ground in the IT industry, SAS70, SSAE 18 SOC 1, and ISAE 3402 have become the most comprehensive and transparent standard for IT outsourcing and risk excellence. Organizations requiring an ISAE 3402 | SOC 1 report often consider ISAE 3000 | SOC 2 reports.

ISAE 3000 | SOC 2

ISAE 3000 | SOC 2 reports apply the Trust Services Principles and Criteria (TSPs). The TSPs are a set of specific requirements developed by the AICPA and Canadian Institute of Chartered Accountants (CICA) to provide assurance over security, availability, confidentiality, processing integrity, and privacy. An organization can choose the various aspects relevant to their customer’s needs. An ISAE 3000 | SOC 2 report may cover one or more principles. If your organization hosts or processes other types of information for your customers that do not affect their financial reporting, then an ISAE 3000 | SOC 2 is more relevant. In this case, your customers are likely concerned whether you handle their data securely and if it’s available to them as agreed upon. An SOC 2 report, similar to an SOC 1 report, evaluates internal controls, policies, and procedures.

SOC 1 OR SOC 2?

Organizations processing, hosting, or managing systems or information affecting financial reporting must always provide an ISAE 3402 | SOC 1. ISAE 3000 | SOC 2 applies when all systems and processes are unrelated to financial reporting. Data center, IaaS, PaaS providers typically report hybrid, with both an ISAE 3402 | SOC 1 for financial processes and systems and ISAE 3000 | SOC 2 for unrelated processes and systems. The content of both reports will be identical.

Third-party risk and ISAE 3402

Third-party risk and ISAE 3402

From full outsourcing of complex functions such as IaaS, PaaS services, or component manufacturing to small contracts with local service providers and suppliers, organizations in various sectors and sizes heavily rely on external service organizations.

Outsourcing activities result in cost savings, operational efficiency, or expanded expertise within the organization. Outsourcing also implies increased risk exposure. Understanding, analyzing, and effectively responding to risks as part of an enterprise risk management (ERM) approach is essential for minimizing exposure to financial losses, non-compliance with regulations, and reputational damage.

Understanding third-party risks

Third-party risk is not limited to multinational companies outsourcing key business functions to offshore suppliers. In today’s world, most organizations regularly engage with service providers as part of regular business operations, as discussed in the previous chapter. Even small businesses rely on service organizations for various activities, from hosting servers, IT support to payroll processing. The increase in outsourcing to third parties amplifies the potential risks organizations face.

Analyzing this third-party risk at any given time is essential for business continuity and maximizing the impact of risk management efforts. Given the significant reliance on data in most businesses, any third party with access to sensitive or confidential information can pose a potential risk to business continuity. When outsourcing, as with other categories, risk levels and hierarchies can be considered. These hierarchies and levels form the basis for setting risk priorities by management and the basis for the risk framework in an ISAE 3402 | SOC1 report.

Risk prioritization and ISAE 3402

Setting risk priorities is not a one-time exercise; all parameters can be adjusted over time, depending on factors ranging from economic developments to changes in the regulatory environment to evolving strategic initiatives. While not exhaustive, the types of third parties that typically pose a higher risk to your organization include service organizations such as:

  • Cloud computing/on-demand computing
  • Software-as-a-Service (SaaS)
  • Internet service providers (ISPs)
  • Credit card processing platforms
  • Online order fulfillment
  • Data center and co-location providers
  • HR and payroll administration
  • Third-party administrators (TPAs)
  • Printing and postal services
  • Third-party logistics services (3PL)
  • Accounts receivable processing and collection services
  • Third-party due diligence

Thorough due diligence before entering into a new third-party contract is just the beginning. Like business risks, third-party risks must be regularly and proactively managed throughout the lifespan of a vendor relationship, as parameters adjust over time. This involves leveraging internal audit, financial, legal, and – in many cases – independent auditors issuing an ISAE 3402 assurance opinion.

Expansion obtains ISAE 3402 Type II statement

Expansion obtains

ISAE 3402 Type II statement

Utrecht, April 25, 2019 – DMS provider Expansion obtained the  ISAE 3402 Type II statement in January 2019. Assisted by Securance, Expansion’s clients receive an objective confirmation of their service processes’ reliability. Conclude Accountants conducted the audit.

Digital archiving and document management

Expansion is a leading provider of digital archiving and document management solutions. It increasingly offers its solutions from the Cloud. Expansion enables organizations to fully outsource the management of their critical business information. To assure clients and their accountants of meeting the highest standards of information security, Expansion decided to obtain an ISAE 3402 Type II statement.

Implementation & audit

Securance and Conclude Accountants supported Expansion in the second half of 2018 with the ISAE 3402 report implementation and audited on various aspects: Is the service organization’s description accurate? Are the defined control measures adequately set up? Do the control measures effectively achieve Expansion’s goals? Conclude Accountants obtained confirmation on these aspects during the audit, enabling the issuance of the ISAE 3402 Type II statement.

Comprehensive selection

Expansion chose Securance and Conclude Accountants to guide the process, primarily for their extensive experience in this field.

Continuous process
Expansion found the collaboration highly constructive, contributing to elevating its services to even higher and more consistent levels. Obtaining the ISAE 3402 Type II statement isn’t the end for Expansion but a part of an ongoing improvement process, where Securance will continue to contribute. Initial arrangements for the upcoming audit have already been made.

About Expansion

With the standard DMS Xtendis, Expansion is one of the market leaders in the Netherlands in digital archiving and document management. Xtendis is increasingly taken as a Cloud service. Xtendis is used in the Netherlands by more than 650 organizations for various applications, including digital personnel files, order files, invoice processing, customer files, and mail processing. Xtendis unlocks a total of over 2.6 billion documents for more than 4 million users.