ISAE 3402

Digital service providers must be trustworthy and increasingly able to demonstrate this to their customers that they can rely on them. Partly due to legal requirements derived from (European) acts, such as the Network and Information Security directive 2 (NIS2 directive), the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA) etc.

Having an ISAE3402 assurance statement can help fulfil this requirement: an independent view on the quality of your service delivery as a digital service provider.

What is an ISAE 3402 statement?

An ISAE 3402 assurance statement provides an insight in risk mitigation related to outsourcing of services by a user organisation towards a service provider. Through an assurance statement, user organisations are informed about risk management and the effectiveness of the chosen internal control measures that are taken to mitigate the identified risks. The assurance statement provides insight in the effectiveness of the service organisation’s internal control measures.

An ISAE3402 audit assesses the design and implementation (Type I) or design and operating effectiveness (Type II) of the business processes and the control measures aimed at managing the risks, viewed from the perspective of the user organisation, the users of the services.

Via such an assurance statement, the auditor and the auditee determine by mutual agreement which control measures will be tested, i.e. how large and extensive the control framework is.

ISAE3402 audit, ISAE3402 toetsing, ISAE3402 Certificering

Advantages of an ISAE 3402

Efficient method for obtaining and providing assurance: The service organisation can gain insight into the risks and risk management in the business processes through a single generic control framework and thus gain improved insight of control over these business processes.

Relief audit pressure: By combining the risks of your user organisations in one control framework, the service organisation can be audited at once, reducing the audit pressure. You will not have to answer separate audits, or questionnaires, from your user organisations each time.

Compliance: An ISAE3402 statement is also of great value. After all, it indicates to what extent one may rely on the services of suppliers and contributes to compliance with legislation such as the NIS2 and CRA.

Contact us

Do you have questions about an ISAE3402 statement, or did your clients request an assurance statement? Or would you like to exchange thoughts about the possibilities to improve the control of your own processes? We are happy to exchange thoughts about the opportunities with you.

Contact

The process of an ISAE 3402

The process of an ISAE3402 statement starts with the assessment framework: which control objectives are also relevant besides the core objectives? The service organisation (together with the auditor) will determine which control objectives and control measures are applicable to your organisation and provide sufficient confidence in risk management for your clients. In summary, an ISAE3402 audit is conducted through the following steps:

Determining the scope of the service: given the service, you determine which controls are relevant and which are not. We also look at the wishes and requirements, viewed from the perspective of the risks your clients face, relevant to the services provided.

Risk analysis and control framework: For the scope relevant processes, you conduct a risk analysis on the quality of the internal organisation and service delivery and identify as a service provider:

Possible events that may affect service quality, financial risks that may affect the user organisation’s financial statement audit.
Control measures to manage the risks in the business processes from the risk analysis and formulate the control objectives for which the processes are designed.
With this, the control framework relevant to service delivery, taking into account the risks of the user organisations; your customers.

Prepare and go through system description: In a description, you explain your processes that ensure that services are provided securely and well, just as you have promised to your customers.

Evidence List: Preparation of a list of evidence to prepare on the basis of your measures so the audit can be conducted efficiently and effectively with minimal impact on daily operations.

Audit work: conducting the interviews to assess the design, existence and operation (review) of the documents, system settings, logs, etc. In doing so, we look at the extent to which you comply with your own control measures.

Reporting and final aftercare: After the audit work, we prepare a draft report. In this draft we record the findings and our opinion. We then discuss the report with you so that you have insight into what is to come.

Internal quality control: Of course we follow NOREA’s quality guidelines. We ensure quality through file control by an impartial third party who is not part of the audit team. This control by the external reviewer ensures that the audit report meets all NOREA requirements.