Beruflich Dokumente
Kultur Dokumente
and maintaining
ISAE 3402
2 Implementing and maintaining ISAE 3402
Contents
Introduction4
Contacts11
This brochure outlines the purpose and background of the ISAE 3402 standard, its main
benefits and key operational insights for implementing and maintaining.
SLA
User Service
organization Outsourcing organization
contract
ISAE 3402
Alignment Alignment report
The user organization is an entity that outsourced part of its business to a service
organization. Formal agreements regarding the outsourced services are recorded in
a contract and/or Service Level Agreement (SLA). Under the ISAE 3402 standard
the service organisation has five primary responsibilities:
1 Prepare and present a complete an accurate description of the ‘system’
(i.e. the internal control framework). “ISAE 3402 could
2 Specify the control objectives.
3 Identify the risks that threaten the achievement of the control objectives.
provide competitive
4 Design, implement and maintain controls to provide reasonable assurance that advantage, since it is a
the control objectives will be achieved.
5 Provide a written assertion to accompany the description as to the completeness method of
and accuracy of the information provided and state the criteria used as a basis distinguishing a
for making the assertion.
service organization
The auditor of the service organisation (service auditor) shall subsequently
determine if all relevant aspects of the ISAE 3402 standard are adequately
from its competitors”
addressed by the system description. In addition, the service auditor determines
if mentioned controls exist, are adequately designed and operated effectively
(only type II) during a certain period. The service auditor provides an opinion to
the ISAE 3402 report. The auditor of the user organisation (user auditor)
can subsequently rely on the service auditor opinion, when auditing the user
organization financial statements.
Expectations
Feedback
There are two types of reports, Type I and Type II. Type I reports provide:
• A description of the service organisation’s system and controls supported by a
management assertion and an auditor’s opinion on the fairness of that description,
and whether the controls had been placed into operation.
• A management assertion and an auditor’s opinion on whether the controls are
appropriately designed to meet the control objectives.
“ISAE 3402 is a
recurring (annual)
project. Making a
onetime investment in
your approach and
framework pays off
the coming years.”
We will offer our assistance through workshops and training programs for your
organization and evaluate the design and operating effectiveness of the ISAE 3402
control framework and report. We will issue an ISAE 3402 report and a
management letter containing findings and recommendations.
‘External’ Financial
Perform risk analysis
Reporting Risks ISAE 3402 Scope
Ernst & Young Advisory is a trade name of Ernst & Young Accountants LLP. This is a limited liability
partnership registered in England and Wales with registered number OC335594. Ernst & Young
Accountants LLP has its registered office at 1 Lambeth Palace Road, London SE1 7EU, United
Kingdom, its principal place of business at Boompjes 258, 3011 XZ Rotterdam, the Netherlands
and is registered with the Chamber of Commerce Rotterdam number 24432944.
130007
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a
substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst
& Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any
material in this publication. On any specific matter, reference should be made to the appropriate advisor.
www.ey.com/nl
ED None