ISAE 3402: Type I or Type II?
There are two types of ISAE 3402 reports: Type I and Type II. Both report types are similar in content. The difference lies in the nature of the audit performed. In a Type I audit, the auditor determines whether the risk management framework and control measures cover the normative framework (design) and exist at a specific point in time. To establish this, the auditor ‘walks through’ the processes, known as line controls. In a Type II audit, the auditor assesses whether the control measures have been operating effectively over a minimum period of six months.
Increased Assurance
With a Type II report, a user organization gains greater assurance that the service delivery is controlled as agreed upon. The period covered by an ISAE Type II audit is a minimum of six months, unless there is a special situation, such as the acquisition of a new organizational unit or the introduction of a new IT system.
Mandatory Components
An ISAE 3402 report is relatively ‘free-form’. The standard requires, among other things, that risk management is implemented, that the IT infrastructure is controlled, and that the risk management system is effectively monitored. However, an ISAE 3402 report must include the following mandatory components: (1) a description of the internal control framework, (2) a confirmation from the service organization, and (3) a service auditor’s assurance report. While these components are mandatory, the standard does not prescribe how they should be presented in the report. Additionally, ISAE 3402 does not subdivide into sections, unlike the SAS 70 standard (ref. standard 3402.9 sub j). Despite the lack of prescribed components, a best practice has emerged in the Netherlands.
Best Practices
The best practice includes several components: a general description, a description of the control framework, and a control matrix. The general section provides a description of the organization. The description of the control framework typically outlines the complete risk framework according to COSO. The COSO framework was updated to COSO 2013 in 2013 and to COSO 2017 ERM in 2017. A key difference from the original COSO framework is that the latest versions include principles.
Control Matrix
In the control matrix, objectives are linked to risks, and the measures that mitigate these risks (controls) are included. All controls relevant to the user organization are incorporated.
Assurance Report
An auditor assesses whether all expected controls are included during the audit. After this review, the auditor provides an assurance statement in the report according to standard 3402*. Such an assurance statement is sometimes referred to as an ISAE 3402 certification, although it is not a certificate but rather an assurance report according to standard 3402.
* Standard 3402 is the Dutch translation of the international ISAE 3402 standard.
Get started with ISAE 3402
ISAE 3402 reports are read not only by your clients but also by their auditors. A report that does not adhere to best practices or is described less professionally is likely to be perceived as less professional by your client or their auditor. With Securance’s experience in ISAE 3402 since 2004, we are well-equipped to produce professional reports. We can also advise you on how to improve your measures to better control risks.
