ISAE 3402; assurance on outsourcing

The ISAE 3402 standard is an internationally recognized audit standard issued by the International Auditing and Assurance Standards Board (IAASB). The examination by the auditor of a service organization is widely accepted as it represents a thorough review of the internal control objectives and activities of a service organization. The audit framework and associated control measures are detailed in the System and Organization Report (SOC). The scope of an ISAE 3402/SOC report consists of controls over information technology and operational processes affecting the finances of an organization.


SOC reports can be distinguished into SOC 1 and SOC 2 reports. An ISAE 3402/SOC 1 focuses on financial statements and all processes affecting them. An ISAE 3000 (or SOC 2) report is aimed at meeting a broader range of user needs, including concerns about privacy, confidentiality, and system availability. SOC 2 reports are modular based on the Trust Services Principles and Criteria.

Type I and Type II

An ISAE 3402 Type I report contains an opinion from an external accountant on the control measures in place at a specific point in time. The external accountant examines whether internal control measures are adequately designed to provide a reasonable level of assurance that the assertions in the financial statements are achieved and whether internal control measures exist. In an ISAE 3402 Type II report, the external accountant also reports on the operation of these control measures over a predetermined period. ISAE 3402 reports typically cover the design and operation of controls for a 12-month period with continuous coverage from year to year. A report may cover a minimum period of six months.

Aligning external requirements with internal risk excellence

In outsourcing situations, many questions may arise: Are services performed in a controlled manner? How is security handled? Who has access to our information? Are there adequate fraud prevention measures in place? ISAE 3402 provides a solution to these problems.

ISAE 3402 supports organizations in measuring and evaluating risks and aligning the resulting control framework with strategic objectives and these risks. A one-time investment in the framework pays off by enhancing market confidence and organizational excellence.

Share this blog

July 16, 2024

Detecting and bypassing anti-Adversary-in-the-Middle (AitM) tokens Within the Advanced Red...

    July 15, 2024

    What is XXE (XML eXternal Entity) injection? A lot of...

      July 5, 2024

      Is the local administrator’s password reused in your environment? The...