As companies emerge in an ever growing global economy newly adopted accounting principles and standards allow potential clients insight into the prospective organization. The new globally accepted framework, International Standards for Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization creates transparency and more clarity when reporting on controls at service organizations. SAS 70, the standard used globally by many practitioners, was superseded because it had been showing its limitations for a number of years, due in large part that it was a U.S. based standard and was not always meeting the ever-growing and complex reporting requirements for international service organizations.
ISAE 3402 (and the U.S. Standard of SSAE 16) have become the de facto “standard” for reporting on controls at service organizations when the service organization impacts internal controls over financial reporting. The guidelines and subsequent requirements for reporting on controls as put forth by the ISAE 3402 standard have clarity and transparency, allowing user entities and all intended parties confidence in reports received on service organizations. This differentiates the service organization from its peers by demonstrating the establishment of effectively designed management control objectives and control activities and helps the organization build trust with its user organizations.
The ISAE 3402 is an assertion based report similar to SSAE 16. SOC 1, SOC 2, or SOC 3 reports can be issued based on the services provided by the organization. ISAE 3402 stipulates that management of service organizations are required to provide a written assertion in the body of the report about the fair presentation of the description of the service organization’s system, the suitability of the design of the controls, and in the case of a Type 2 report, the operating effectiveness of the controls. These assertions accompany management’s description of the service organization’s system. A separate management representation letter is also required.
ISAE 3402 was designed to mirror SSAE 16 with slight difference. ISAE 3402:
- Does not require an assessment of the risk and impact on the report.
- Deviations can be treated as “anomalies” under certain circumstances.
- Does not specifically discuss the use of the Internal Audit function, but separate “audits” performed by internal audit that are relevant to the service auditor’s activities can be relied upon.
- Must disclose events that take place after the period of the audit but before the date of the service auditor’s report.
- Requires disclosure of subsequent events that have a significant effect on the report.
The benefits of the ISAE 3402 audit are numerous. The audit can assist in identifying areas in an organization’s structure that need improvement, and how to implement the proper changes and adjustments. Potential clients are also assured that the risks in organization are well-studied, and effective systems are in place to handle them. As more organizations undergo an ISAE 3402 audit, the global marketplace becomes easier to navigate as the reporting standard is accepted worldwide.