Skip to main content
ISAE 3000 SOC 2 report

ISAE 3402 | SOC1

The global business environment is changing rapidly. Global outsourcing will increase manifold in the coming years. New delivery and supply chain models are being developed. Technologies evolve in a rapid pace and regulatory requirements are more global, and constantly in development. In this global environment, organization are looking at means to establish an effective and efficient outsourcing environment for their business. Third party reporting frameworks such as ISAE 3402 | SOC 1, ISAE 3000 | SOC 2 and the SOC cybersecurity frameworks are gaining a widespread acceptance and become the standard for trusted business.

ISAE 3402

ISAE 3402

ISAE 3402 | SOC 1 guarantees that outsourced processes are demonstrably 'in control'. 'In control' implies that processes are properly executed, information security is adequately built, and sufficient measures to prevent fraud are implemented. An ISAE 3402 | SOC 1-report is increasingly required by financial institutions and other professional organizations.

SOC 1 Report

SOC 1 Report

For your organization to acquire a ISAE 3402 | SOC 1 assurance report, you need to implement a solid risk framework, including relevant controls and an hire an accredited service auditor, such as Certicus Assurance. An ISAE 3402 | SOC 1 should not be confused with ISAE 3000 | SOC 2. An ISAE 3000 | SOC 2 has a different objective and scope than an SOC 1.

Outsourced processes demonstrably 'in control' implies that processes are designed properly to cover all financial risks, that the described controls are in place and that these controls operate effectively during a predefined period. Information security should be organized adequately and sufficient measures should be taken to prevent fraud. An external auditor performs an audit on the ISAE 3402 SOC 1 report and provides an assurance to this report. In the next column the next steps to acquire a SOC 1 report are described.

A Service Organization Control (SOC) report is a term from the United States for reporting on the internal control of a service organization. A SOC 1 report contains a description of the risk management organization, the internal control system and the information security measures. Usually, a general description of the internal control system and a control matrix (CM) is included in an SOC1 report, which again includes detailed internal control measures.

Outsourcing

Outsourcing

Almost all processes can be outsourced. For example, the IT organization as well as the processing of financial transactions, logical operations or the credit management process can be outsourced. Organizations increasingly outsource (parts of) business critical processes. As a consequence of outsourcing, important risk management and controls can be out of sight of management of an user organization. This might result in unwanted risks for an organization. Diligent tested processes and controls and an ISAE 3402 SOC 1 assurance raport will be helpfull to reduce these risks.

Regulation

Regulation

The ISAE 3402 standard (the successor of the SAS 70 standard) was developed because organizations and regulators had a greater need for insight into and control of outsourcing. As a result, supervisory authorities such as the Central Banks or the securities and exchange commission, the government in general and most likely your customers also might have specific questions or requirements with respect to reporting on the outsourced processes. ISAE 3402 SOC1 might be a very useful solution therefore. Our specialized staff is more than willingly to inform next steps to be taken for an ISAE 3402 SOC 1 audit. 

What is ISAE 3402 | SOC 1?

The global standard for controlled outsourcing