To obtain an ISAE3402 certification you must have a description of your internal control. Such a report is known as a Service Organization Control Report (SOC1). You will need to have this report audited by an external auditor. This accountant does not actually certify, but provides an assurance report in accordance with the ISAE3402 standard with your SOC. There are specific requirements for the content of such an SOCR or ISAE3402 report.
Many organisations focus on their core activities. Non-core activities are outsourced to other organisations. Both from a supervisory organisation and due to the decreasing trust between market parties, the demand for certainty (assurance) about the outsourcing has increased. An ISAE3402 provides assurance on all processes that ultimately affects the financial statements of the user organisation.
Many organisations supervised by the Dutch Central Bank are required to demonstrate the real management of outsourced processes. An ISAE3402 report can be helpful in this process and is increasingly being made compulsory by organisations like care offices, the AFM. International companies that are supervised by the SEC and that are required to comply with SOx 404 are also required to comply with all the requirements of ISAE3402 or SSAE16 for the processes they outsource. In cases, therefore, the demand for ISAE3402 is certainly justified.
You might be able to do this. An ISAE3402 report must meet a number of form and content requirements. The ISAE3402 standard is a public standard, you can download and consult it from our website. An ISAE3402 report must at least contain a description of the control framework and a management confirmation with regard to that internal control.
ISAE3402 is the international standard for outsourcing, which means that you meet international requirements that are also recognisable for both your domestic and international clients. Compliance with the ISAE3402 standard is required in many tenders. Another advantage is that it is no longer necessary for your client to send its own auditors to you. In addition, ISAE3402 is often used as a means to standardize and better organize processes in the organization.
That is mandatory. You must include information systems that affect the financial statements in the ISAE3402 report (ref. ISAE3402.16). It is therefore often important to describe the controls in your operating system (Windows Server or Linux) in the ISAE3402 report.
This is an example of the elaboration of the Dutch ISAE3402 practice. SOx404 and the PCAOB standard require, for example, a daily check-up to be tested 25 times. The ISAE3402 standard does not have these requirements. The ISAE3402 standard stipulates that the service auditor must determine a sample size so that the risk is reduced to an acceptable level (Standard 27 b).
The Exclusion or Carve-out method concerns how the services provided by a sub-service organisation are handled. In this context, the description of the service organisation of its system includes the nature of the services provided by a sub-service organisation. However, the relevant internal control objectives and the related internal control measures of the sub-serviceorganisation are excluded from the description of the service organisation of its system as well as from the scope of the service organisation's auditor's engagement. The description of the service organization's system and the scope of the assignment of the service organization's auditor contain internal control measures of the serviceorganization that monitor the effectiveness of a sub-serviceorganization's internal control measures, which may imply that the service rganization assesses an assurance report regarding the sub-serviceorganization's internal control measures.