Consequences of ISAE 3402

To obtain an ISAE 3402 certification, you need to have a description of your internal control, also known as a Service Organization Control Report (SOC).

This report is certified by an external accountant. The accountant doesn’t actually certify but provides an assurance report in accordance with the ISAE 3402 standard for your SOC. Specific requirements exist for the content of such a SOC or ISAE 3402 report. At Risklane, we describe your report according to these requirements. We can then connect you with an external accountant who will certify your ISAE 3402.

Many organizations focus on their core activities, outsourcing non-core activities to other organizations. Due to regulatory requirements and decreasing trust between market parties, the demand for assurance about outsourcing has increased. An ISAE 3402 provides assurance about all processes that ultimately affect the financial statements of the using organization.

Many organizations supervised by the Dutch Central Bank must demonstrate that outsourced processes are effectively controlled. An ISAE 3402 report can be helpful in this regard and is now mandatory for more organizations such as healthcare insurers and the AFM. International companies supervised by the SEC and required to comply with SOx 404 must also meet all ISAE 3402 or SSAE16 requirements for the processes they outsource. In these cases, the demand for ISAE 3402 is certainly justified.