ISAE 3402 audit

Assurance on security of service provision

Many businesses outsource some of their financial and other processes to service organisations. These processes may include payroll accounting, IT services (cloud solutions, infrastructure, etc.), asset management, back-office processes, etc. A disruption of these processes can have a major impact on the continuity of their business operations. That is why they want the assurance that a service organisation is in control of its processes, for instance when it comes to risk management, internal control or data integrity. Moore DRV’s IT auditors can help you provide that assurance to your customers by issuing an independent ISAE 3402/SOC 1 assurance report.

Toegevoegde waarde IT audit ISAE3402 Harmony

What our clients say

"Our clients want to be sure that all our financial and IT processes are properly set up. Thanks to the independent and annual ISAE3402 audit, we can offer that assurance. It not only allows us to say that we are well organized, but also to show it. The report helps enormously in gaining the trust of retailers and insurers."

Ronald van Weelde - CEO of Harmony

What is an ISAE 3402 audit?

ISAE stands for International Standard for Assurance Engagements. This is an assurance standard for outsourced financial processes and/or services. Your customers might ask you for an independent opinion on the quality of your service provision to demonstrate that you are in control of the financial processes they have outsourced to you. You can offer them peace of mind by presenting them with an ISAE 3402 assurance report. An ISAE 3402 assurance report addresses the service organisation’s management of risks associated with financial processes. This involves aligning internal control objectives and controls to the users of these processes and/or services and their auditors.


What is the difference between an ISAE 3402 Type I or Type II report?

There are two types of ISAE 3402 reports, i.e. Type I and Type II. What are they and what is the difference? First off, we should say that there are many similarities between the two types. The difference lies mainly in the level of scope. A Type I report provides assurance on the design and the existence of the internal controls at a specific point in time. A Type II report provides assurance on the design, existence and operational effectiveness of the internal controls over a period of at least six months.

Benefits of an ISAE 3402 audit

  • Verifiable risk management and application of quality standards.
  • Assurance for customers, suppliers and end users, creating a competitive advantage.
  • National and international recognition by regulatory authorities.
  • External review of internal control system.
  • Better control of internal processes.

How is an ISAE 3402 audit different from an ISAE 3000 or SOC 2 audit?

SOC stands for System and Organisation Controls. A SOC 2 audit focuses not only on financial processes but also on the Trust Services Criteria defined by the American Institute of Certified Public Accountants (AICPA). These Trust Services Criteria are security, availability, processing integrity, confidentiality and privacy. As a result, SOC 2 is much more targeted at information security and privacy than ISAE 3402, which focuses exclusively on financial processes.

The ISAE 3402 standard applies if financial processes have been outsourced to a service organisation, such as a provider of payroll accounting, back-office, asset management or credit management services. The scope of an ISAE 3000 assurance engagement is much broader than an organisation’s control of outsourced financial processes. An ISAE 3000 engagement can provide assurance on security services and privacy control (including GDPR) and – in the Netherlands – ENSIA and DigiD.


Why would an ISAE 3402 audit be useful for my business?

The ISAE 3402 standard applies if financial processes have been outsourced to a service organisation, such as a provider of payroll accounting, back-office, asset management or credit management services. These are parties providing a service on which assurance must be expressed in the financial statements.


Obtaining an ISAE 3402 report

For us to be able to issue an ISAE 3402 report, you need to have in place a framework of standards we can use as a benchmark. We will describe this framework and your internal control structure in our report. Aspects that will be covered include your organisational and consultation structure, objectives, risk management procedures, supervision and controls. As a result, our report will not only offer your customers insight into the reliability and quality of your service provision, but it will also give them confirmation in a third-party memorandum (TPM) that you have internal controls in place and that these controls are effective.

Want to make the right start with ISAE 3402? We can help by:

  • Setting up a framework for you.
  • Having our certified IT auditors review your framework.

Want to find out more about ISAE 3402?

For more information about how Moore DRV can help you become ISAE 3402-certified, please leave your contact details here and we will reach out to you for a no-obligation consultation.

Max Platvoet MSc RA RE

Auditor and IT auditor

Contact form

  •  *
  •  *
  •  *
  •  *
  •  *