To obtain an ISAE 3402 certification you must have a description of your internal control. Such a report is known as a Service Organization Control Report (SOC 1). You will need to have this report audited by an external auditor. This accountant does not actually certify, but provides an assurance report in accordance with the ISAE 3402 standard with your SOC. There are specific requirements for the content of such a SOC 1 or ISAE 3402 report.
Many organizations focus on their core activities. Non-core activities are outsourced to other organizations. Both from a supervisory organization and due to the decreasing trust between market parties, the demand for certainty (assurance) about the outsourcing has increased. An ISAE 3402 provides assurance on all processes that ultimately affect the financial statements of the user organization.
Many organizations supervised by the Dutch Central Bank are required to demonstrate the real management of outsourced processes. An ISAE 3402 report can be helpful in this process and is increasingly being made compulsory by organizations like care offices, the AFM. International companies that are supervised by the SEC and that are required to comply with SOx 404 are also required to comply with all the requirements of ISAE 3402 or SSAE16 for the processes they outsource. In cases, therefore, the demand for ISAE 3402 is certainly justified.
You might be able to do this. An ISAE 3402 report must meet a number of form and content requirements. The ISAE 3402 standard is a public standard, you can download and consult it from our website. An ISAE 3402 report must at least contain a description of the control framework and a management confirmation with regard to that internal control.
ISAE 3402 is the international standard for outsourcing, which means that you meet international requirements that are also recognizable for both your domestic and international clients. Compliance with the ISAE 3402 standard is required in many tenders. Another advantage is that it is no longer necessary for your client to send its own auditors to you. In addition, ISAE 3402 is often used as a means to standardize and better organize processes in the organization.
This is an example of the elaboration of the Dutch ISAE 3402 practice. SOx404 and the PCAOB standard require, for example, a daily check-up to be tested 25 times. The ISAE 3402 standard does not have these requirements. The ISAE 3402 standard stipulates that the service auditor must determine a sample size so that the risk is reduced to an acceptable level (Standard 27 b).
The Exclusion or Carve-out method concerns how the services provided by a sub-service organisation are handled. In this context, the description of the service organisation of its system includes the nature of the services provided by a sub-service organisation. However, the relevant internal control objectives and the related internal control measures of the sub-serviceorganisation are excluded from the description of the service organisation of its system as well as from the scope of the service organisation's auditor's engagement. The description of the service organization's system and the scope of the assignment of the service organization's auditor contain internal control measures of the serviceorganization that monitor the effectiveness of a sub-serviceorganization's internal control measures, which may imply that the service rganization assesses an assurance report regarding the sub-serviceorganization's internal control measures.