What is ISAE 3402 | SOC 1?
ISAE 3402 is the standard for outsourcing. To become certified, an organization must have a Service Organization Control (SOC) Report. A SOC report is a report that includes a description of the risk management system. This report is then annually reviewed by a service auditor. An organization that provides services is referred to as a service organization. Through an ISAE 3402 report, a service organization provides accountability to another organization (a user organization) regarding the processes performed in the Service Level Agreement (SLA) and the control over these processes. The standard succeeded the SAS 70 standard and was introduced in 2011.
ISAE 3402 and Outsourcing
Organizations are increasingly outsourcing, particularly in the IT domain. Organizations that outsource want insight into information security, fraud prevention, and risk management in general. This is especially important as more crucial business processes are being outsourced, making it essential to understand who has access to information and whether there are sufficient segregations of duties to prevent fraud. An ISAE 3402 report provides this insight.
Report content
In addition to the general overview, the report must include processes that could potentially affect the financial statements (financial processes). This also includes IT processes, known as General IT Controls. Furthermore, an ISAE 3402 report can provide assurance that outsourced processes are being performed according to the agreed-upon SLA. The SOC report consists of a general section based on the COSO 2013 standard and a control matrix. Read more about the report content and the two types of reports: ISAE 3402 Type I and Type II.
Outsourcing example
A pension fund outsources asset management to an asset manager. Pension funds must comply with the Pension Act (PW). The Pension Act requires the pension fund to demonstrate that the outsourced processes are controlled.In this case, the pension fund is the user organization, and the asset manager is the service organization. The agreements between the pension fund and the asset manager are documented in the asset management agreement and possibly an SLA. Therefore, the pension fund requests an ISAE 3402 report from the service organization. With this report, the pension fund demonstrates that the outsourced processes are “in control” and that it complies with the Pension Act for this outsourcing arrangement.In such a situation, the pension fund (the ‘user organization’) wants insight into:
- Whether investments are processed accurately and completely for the financial statements
- Whether asset management is conducted in accordance with laws and regulations
- Whether there are sufficient safeguards against fraud
- Whether security is adequately implemented at the asset manager
- Whether specific compliance requirements included in the Pension Act are met
The pension fund will require the asset manager to include the above topics within the scope of the ISAE 3402 report. The pension fund’s auditor will consult the asset manager’s ISAE 3402 report as part of the pension fund’s annual financial statement audit. The auditor does not need to separately test procedures at the asset manager, as this has already been reported on by the service auditor.
Added value
The primary added value for a user organization is that, based on the Service Organization Control report, it can determine whether information security or fraud prevention measures are adequate. This is also important information for the user organization’s auditor. The user organization’s auditor can assess whether the measures at the service organization are sufficiently designed within the framework of the user organization’s financial statement audit. Additionally, a (recognized) other auditor has determined whether these measures exist (Type I) and have been operating effectively (Type II). The auditor then does not need to perform separate controls at the service organization.