ISAE 3402 – What is that?
International Standard on Assurance Engagements No. 3402 (ISAE 3402) is the internationally recognized auditing standard for auditing the ICS of outsourcing service providers.
Need for ISAE 3402 certification:
Outsourcing of administrative processes and service processes to service companies
Outsourcing, especially in the area of accounting-relevant processes that have an influence on external accounting or in the area of financial reporti
Three variants of outsourcing services have become established in practice:
Parts or the entire IT, including IT management, are outsourced to external computer center operators or specialized IT service providers
Business Process Outsourcing: Outsourcing of routine administrative activities such as payroll accounting to specialised IT service providers
In addition to the processing of business transactions, the service also includes the provision and operation of the necessary IT system
The basis of an audit in accordance with ISAE 3402 comprises the description of the service-related internal control system (ICS) and the management assessment. As part of the management assessment, management provides a statement that the ICS is adequately presented or that the internal controls were implemented during the audit period and, in the case of a type II audit, were effective in achieving the predefined control objectives. A description of the ICS by the company to be audited is an essential part of the reporting.
In December 2007, the PCAOB published a draft version of ISAE 3402 (International Standard on Assurance Engagements), which is intended to regulate the requirements for auditing and reporting on the ICS of a service company. The Public Company Accounting Oversight Board (PCAOB) is an independent regulatory body for accounting firms in the USA.
Within the scope of a certification according to the European standard ISAE 3402, further possibilities of certification can be considered. Companies can be certified according to the German standard IDW PS 951 or the stricter US standard SSAE 18.
BFMT is one of the few mid-sized accountancy firms to be approved by the PCAOB for SSAE 18 auditing.
Who needs ISAE 3402?
A corporate culture that is characterized by ethical values not only enhances the performance of your employees but is also the cornerstone for the sustainable and long-term success of your company. The loyalty of your employees, your customers and also renowned investors is strengthened and thus increases the value of your company.
A certification of your company brings you a big advantage especially for the following groups:
Existing customers (the outsourcing company and its auditors)
New customers (certification as a benchmark for the quality of your company's processes)
Service providers who offer accounting-relevant business processes and IT-supported services as a service confirm to their clients in an ISAE 3402 report that they have a functioning internal control system for the processes outsourced to them.
This confirmation in the form of certification by an appointed auditor prevents external auditors of clients from having to check the processes at the service provider.
ISAE 3402 as a component for compliance with legal regulations
Some of the most important national rules for IT compliance include:
The Telecommunications Act for Germany,
The European General Data Protection Regulation (GDPR),
The principles for data access and verifiability of digital documents (digital tax audit),
Laws on control and transparency in the corporate sector
In addition to these national rules, European guidelines (the Basel II framework) and international regulations also come into play.
For example, the Sarbanes-Oxley Act (SOX) also applies to European companies if they are listed on US stock exchanges. Other directives include FINRA (NASD/SEC), HIPAA, IFRS, MiFID and Tabaksblatt.
Advantages through certification according to ISAE 3402:
Proof of the appropriateness and, if applicable, effectiveness of the service-related ICS
Assessment of business risks through outsourcing of operational processes
Reporting on the ICS of the service company
Quality feature compared to non-certified companies
Marketing instrument for maintaining and expanding the customer base
Certification procedure according to ISAE 3402 examination standard
Description of the internal control system by the service company including the following key points:
Period covered by the report,
Description of the transactions carried out, control objectives and related controls,
Supplementary checks by customers,
Checks carried out by the sub-service organisation ("inclusive method"),
The process used in the preparation of customer reports, and
Changes to the system during the period examined.