ISAE 3402 – What is that?

Basic Information

International Standard on Assurance Engagements No. 3402 (ISAE 3402) is the internationally recognized auditing standard for auditing the ICS of outsourcing service providers.

Need for ISAE 3402 certification:

  • Outsourcing of administrative processes and service processes to service companies

  • Outsourcing, especially in the area of accounting-relevant processes that have an influence on external accounting or in the area of financial reporti

Three variants of outsourcing services have become established in practice:

  • Parts or the entire IT, including IT management, are outsourced to external computer center operators or specialized IT service providers

  • Business Process Outsourcing: Outsourcing of routine administrative activities such as payroll accounting to specialised IT service providers

  • In addition to the processing of business transactions, the service also includes the provision and operation of the necessary IT system

The basis of an audit in accordance with ISAE 3402 comprises the description of the service-related internal control system (ICS) and the management assessment. As part of the management assessment, management provides a statement that the ICS is adequately presented or that the internal controls were implemented during the audit period and, in the case of a type II audit, were effective in achieving the predefined control objectives. A description of the ICS by the company to be audited is an essential part of the reporting.

In December 2007, the PCAOB published a draft version of ISAE 3402 (International Standard on Assurance Engagements), which is intended to regulate the requirements for auditing and reporting on the ICS of a service company. The Public Company Accounting Oversight Board (PCAOB) is an independent regulatory body for accounting firms in the USA.

Within the scope of a certification according to the European standard ISAE 3402, further possibilities of certification can be considered. Companies can be certified according to the German standard IDW PS 951 or the stricter US standard SSAE 18.

BFMT is one of the few mid-sized accountancy firms to be approved by the PCAOB for SSAE 18 auditing.


30 minutes free consultation

Are you interested in our certification?
Get in touch with us without obligation.
We will be happy to advise you.


Who needs ISAE 3402?

A corporate culture that is characterized by ethical values not only enhances the performance of your employees but is also the cornerstone for the sustainable and long-term success of your company. The loyalty of your employees, your customers and also renowned investors is strengthened and thus increases the value of your company.

A certification of your company brings you a big advantage especially for the following groups:

  • Existing customers (the outsourcing company and its auditors)

  • New customers (certification as a benchmark for the quality of your company's processes)

  • Supervisory authorities

Service providers who offer accounting-relevant business processes and IT-supported services as a service confirm to their clients in an ISAE 3402 report that they have a functioning internal control system for the processes outsourced to them.

This confirmation in the form of certification by an appointed auditor prevents external auditors of clients from having to check the processes at the service provider.

ISAE 3402 as a component for compliance with legal regulations

Some of the most important national rules for IT compliance include:

  • The Telecommunications Act for Germany,

  • The European General Data Protection Regulation (GDPR),

  • The principles for data access and verifiability of digital documents (digital tax audit),

  • Laws on control and transparency in the corporate sector

In addition to these national rules, European guidelines (the Basel II framework) and international regulations also come into play.

For example, the Sarbanes-Oxley Act (SOX) also applies to European companies if they are listed on US stock exchanges. Other directives include FINRA (NASD/SEC), HIPAA, IFRS, MiFID and Tabaksblatt.

Advantages through certification according to ISAE 3402:

  • Proof of the appropriateness and, if applicable, effectiveness of the service-related ICS

  • Assessment of business risks through outsourcing of operational processes

  • Reporting on the ICS of the service company

  • Quality feature compared to non-certified companies

  • Marketing instrument for maintaining and expanding the customer base

Certification procedure according to ISAE 3402 examination standard

Description of the internal control system by the service company including the following key points:

  • Audited services,

  • Period covered by the report,

  • Description of the transactions carried out, control objectives and related controls,

  • Supplementary checks by customers,

  • Checks carried out by the sub-service organisation ("inclusive method"),

  • The process used in the preparation of customer reports, and

  • Changes to the system during the period examined.


Tip - A detailed list of information which should be available in the company at the beginning of a certification can be found under the following link: show checklists


30 minutes free consultation

Are you interested in our certification?
Get in touch with us without obligation.
We will be happy to advise you.


A possible project flow is shown in the following workflow.
(Click to enlarge image)