Welcome to Protify.

In accordance with cookie legislation and our privacy policy, we only place strictly necessary functional cookies. 😊

For visitor analysis, we use Google Analytics (also cookieless). May we also place some Google Analytics analytical cookies to gain a better understanding?

ISAE / SOC Outsourcing of services

Does your organisation outsource services, or are you hired by other companies to deliver services on their behalf? Then you’ll know how difficult it is to maintain control over outsourced activities. After all, it’s not always possible to monitor them directly. At the same time, legal responsibility typically remains with the organisation that outsources the service—so the need for insight and assurance is clear.

While ISO certifications demonstrate that processes are in place, an ISAE report proves that these processes are actually functioning effectively. It is the next step for organisations seeking assurance over the reliability of outsourced services.

Mathijs de Vaal
Managing Consultant

The benefits of ISAE / SOC

When services are outsourced, ISAE / SOC offers a number of distinct advantages:

Insight and assurance

More insight and assurance for the organisation that outsources the service, which is usually also legally responsible for the service.

Demonstrability

Organisations performing the service show that they meet expectations and effectively manage risks related to IT security and privacy.

Proactive risk management

Proactive risk management by implementing control measures.

Safeguard business continuity

Ensuring business continuity and information security within operations.

Legal obligations

Demonstrably meeting various legal requirements.

What is the purpose of the ISAE report?

Organisations often draw up a Service Level Agreement (SLA) or other contractual agreement. These define in detail what the service and the organisation providing it must comply with. However, it usually remains unclear whether these requirements are actually met, and whether internal processes are in order and properly managed.

The ISAE report offers a solution. This report, also known as an assurance report, can be requested by an organisation outsourcing business processes (services) to another party, when those services have an impact on the client’s financial statements. With an ISAE report on outsourced business processes, an organisation demonstrates that internal processes are being managed and that a high-quality service is being delivered.

What does ISAE stand for?

ISAE stands for International Standard for Assurance Engagements. It is important to understand that ISAE is not a standard; you cannot be certified in it. However, it is an independent report issued by a RA/AA auditor. This confirms that the service organisation delivering the outsourced business processes actually has those processes under control.

It is important to understand that ISAE is not a standard; you cannot be certified in it. However, it is an independent report issued by a RA/AA auditor.

Eveline van Dijk
Consultant

ISAE 3000 and ISAE3402

ISAE 3000 and ISAE 3402 are both international standards for assurance engagements, issued by the International Auditing and Assurance Standards Board (IAASB). They provide guidance for conducting audits and issuing assurance reports, but differ in scope and focus.

ISAE 3000 is a general standard that applies to assurance engagements not related to historical financial information. This includes, for example, audits of internal controls, sustainability, and compliance with laws and regulations. The standard offers flexibility and requires auditors to use professional judgement in determining the scope and controls to be tested.

ISAE 3402, on the other hand, is a specific standard under the umbrella of ISAE 3000 and focuses solely on service organisations that provide services affecting the financial reporting of their clients. The purpose of ISAE 3402 is to provide assurance regarding the effectiveness of internal controls relevant to financial reporting. This standard is particularly relevant for organisations providing outsourced services that affect the financial processes of their clients.

In summary, ISAE 3000 offers a broad framework for assurance engagements beyond traditional financial audits, while ISAE 3402 is specifically aimed at assessing internal controls at service organisations in relation to financial reporting. Both standards are essential for organisations that want to offer transparency and trust to their stakeholders, but they differ in focus and application.

The link between ISAE 3402 and SOC 1 reporting

The ISAE 3402 report is also referred to as a SOC 1 report. This stands for Service Organisation Control Report. SOC 1 is the American version and also deals with internal controls at service organisations in relation to financial reporting. In other words, processes that affect the financial statements.

For an ISAE 3402 report (assurance report), no scope or area of application is prescribed. This is in contrast to SOC 1, where the applicable control objectives are fixed within a framework.

Another difference between ISAE 3402 and SOC 1 is that there is no minimum period prescribed for a type II report; the period is determined by the auditor.

The link between ISAE 3000 and SOC 2 reporting

ISAE 3000 and SOC 2 are both assurance reports that help organisations provide trust to clients and stakeholders regarding their internal control measures, particularly in the area of information security.

SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) and focuses specifically on service organisations providing services where data security, availability, processing integrity, confidentiality and privacy are of critical importance. Both reports can be issued as Type I (point-in-time) or Type II (assessment over a period).

The main difference between ISAE 3000 and SOC 2 lies in the control framework used.
ISAE 3000 offers flexibility in the choice of control framework, allowing organisations to use, for example, ISO 27001 or a custom framework. SOC 2, on the other hand, uses the fixed Trust Services Criteria of the AICPA, which ensures a standardised approach.

In practice, SOC 2 is often carried out in accordance with the ISAE 3000 standard, making the report internationally recognised. For organisations that provide services with a focus on information security and operate internationally, a SOC 2 report based on ISAE 3000 can be a suitable choice to demonstrate that they manage their processes effectively and comply with relevant standards.

For organisations that provide services with a focus on information security and operate internationally, a SOC 2 report based on ISAE 3000 can be a suitable choice to demonstrate that they manage their processes effectively and comply with relevant standards.

Tim Kemper
Consultant

De ISAE audit

In practice, ISAE 3000 / SOC 2 focuses on measures that ensure security, reliability, integrity and confidentiality, particularly for the organisation’s IT infrastructure. ISAE 3402, on the other hand, focuses on financial reporting processes, primary processes, information security, risk management and continuity. This involves IT General Controls, because the reliability and integrity of IT systems impact the financial statements of the outsourcing organisation.

Difference between an ISAE type I and type II report

There are two types of reports that can be issued: a type I and a type II report. An ISAE type I report assesses the design and existence of the control measures. This is a point-in-time evaluation. In a type II audit, in addition to design and existence, the effectiveness of the control measures is also assessed, usually over a period of at least 6 months. During this period, the actual function and operation of the control measures is tested. This allows the client of outsourced services to see that the organisation is truly in control of its service delivery.

In short, the (RE/IT) auditor assesses whether the service is being controlled. This assessment relates to the design and existence of control measures (type I) and the actual implementation over a minimum period of six months (type II). Based on the audit results, the RA/AA auditor issues the assurance report.

An ISAE report via Protify

As consultants, we often come into contact with complex processes and outsourced services at our clients. That is why we work with independent auditors who issue ISAE reports. After the kick-off to get to know each other, we jointly draw up an action plan. We do this based on the agreed standards and assessment framework. Naturally, we also assist with setting up the ISAE framework.

We then conduct a risk analysis, adjust the documentation, and define the necessary control objectives and measures. Your organisation then needs to implement and adhere to them.

After implementation, we collect the evidence, analyse it, and clarify or improve it where needed. For file formation, the supporting evidence is stored.
We then prepare and discuss the report, after which the actions and tasks relating to quality assurance are set up by your team.

For a type I report, the auditor will then assess the design and existence of the controls. For a type II audit, supporting evidence must be collected over a period of at least six months to demonstrate that the implementation and functioning of the control measures are properly managed. We determine together which type of report is suitable at the start of the project. This usually depends on the preferences of your organisation.

Why choose Protify

ISAE offers independent assurance that your organisation controls its processes and manages risks appropriately. Clients gain confidence that their data or processes are in safe hands.

To obtain an ISAE report, outsourced processes must be well-documented, standardised, and controlled. This often leads to better internal structure and fewer errors.

Many clients, especially in the financial or healthcare sector, require an ISAE report before doing business with a supplier. It is a form of due diligence: clients can use your ISAE report as supporting evidence for their own audits and controls.

With an ISAE report, you demonstrate that your organisation meets relevant requirements in the areas of:

  • Business continuity
  • Risk control
  • Information security
  • Privacy (such as GDPR)

Get started now

By having an ISAE report, you demonstrate the reliability and security of the processes outsourced to your organisation to clients and stakeholders. Want to know more about an ISAE report?

Start now