What is ISAE 3402

Internal control reports on the services provided by a service organisation detail valuable information that users need to assess and address the risks associated with an outsourced service

ISAE 3402

The International Standard on Assurance Engagements (ISAE) number 3402, “Assurance Reports on Controls at a Service Organisation”, was introduced in December 2009 by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC).

ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by clients and their auditors on the controls at a service organisation (such as Marbury) that are likely to impact or be a part of the clients’ system of internal control over financial reporting.

Why obtain ISAE 3402?

An ISAE 3402 attestation (including an ISAE 3402 Type I and /or Type II audit report) is regarded as a quality criterion for service organisations that distinguishes them from competitors whilst at the same time providing assurance to clients.

Clients that engage service organisations which have received the ISAE 3402 attestation benefit in the following ways:

  • they will receive assurance that the internal controls surrounding services outsourced by the service organisation to the client are adequate and monitored, and
  • the auditors of the client can rely on the ISAE 3402 report of the service organisation when conducting their audit on the client’s service providers, usually resulting in a reduced audit cost on the client.

Types of ISAE 3402 Reports

ISAE 3402 defines two kinds of reports:

Type I: Documenting a “snapshot” of the service organisation’s internal controls at a specific point in time.

Type II: Documenting and testing such controls over a period of time (typically 12 months) with the purpose of showing how the internal controls have been managed by the service organisation over time.

More information on the ISAE 3402 reports here.

> What does this mean for Marbury clients?

US vs International Standards

Comparing SSAE 18 (formerly SAS 70) and ISAE 3402

Statement on Auditing Standards (SAS) No. 70, Service Organisations, was a widely recognised auditing standard developed by the American Institute of Certified Public Accountants (AICPA). Established in 1992, SAS 70 was the first standard that provides guidance to enable an independent auditor (“service auditor”) to issue an opinion on a service organisation’s description of controls through a Service Auditor’s Report. It was superseded by Statement on Standards for Attestation Engagements, SSAE 18, in 2016.

ISAE 3402, issued by the IAASB, also supersedes SAS 70 and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls. The approach is from a financial reporting perspective.

The US SSAE 18 and the International ISAE 3402 accreditations are considered to be parallel assurance audit standards.

What does ISAE 3402 mean for our clients (‘peace of mind’)?

The ISAE 3402 accreditation obtained by Marbury provides peace of mind to stakeholders such as clients, managers, administered vehicles, and service providers, of the quality and rigour of Marbury’s controls, systems and processes.  The accreditation reports are compiled by third parties – registered audit firms, in this case Baker Tilly – that have internationally recognised expertise in assurance audits. 

Stakeholders can therefore have peace of mind that the accreditation obtained is objective, unbiased, and reliable.