ISAE 3000 / 3402

Cybersecurity and privacy

Many companies outsource various financial and other activities – payroll processing, IT (cloud solutions, infrastructure, etc.), asset management, back office and so on – to external service providers. But any disruption of these processes can seriously affect the continuity of their own business. They therefore want certainty, in the form of assurances covering important factors such as risk management, internal control and data integrity.

What is ISAE 3000/3402?

ISAE, the International Standard for Assurance Engagements, is an audit standard offering certainty in respect of outsourced processes and services. Customers want an unbiased opinion regarding the quality of their service providers, in the form of a good picture of their control of the activities entrusted to them. With an ISAE 3000/3402 report, you can satisfy this demand.

ISAE 3000 and ISAE 3402 are the international standards for high-quality assurance assignments.


ISAE 3000 and 3402: what is the difference?

The ISAE 3402/SCO2 standard applies specifically when financial and/or operational processes are outsourced to a service organization. For example, a payroll processor, back-office service provider or asset or debtor manager. ISAE 3000 is more generic, covering a wide range of issues around such topics as the management of personal data and adherence to agreements.

In the Netherlands, organizations that fall under the Financial Supervision Act (Wet Financieel Toezicht, WFT) or the Pensions Act (Pensioenwet) must be able to demonstrate that they are in control of the relevant financial processes. For suppliers providing services to banks, notaries, pension funds and insurers, an assurance based on ISAE3000/3402 is therefore relevant.


ISAE reporting

For an ISAE 3000/3402 report, you need standards on which an audit can be based. The report describes the framework for these standards and the internal controls in place. Specific aspects covered include the organizational and consultative structure, objectives, risk management, supervision and control measures. The report not only gives your customer an insight into the reliability and quality of your services, but also provides independent confirmation (as a “third-party memorandum”) that your internal controls are present and effective.

To make the right start with ISAE 3000/3402, we are happy to help you with:

  • Setting up a framework.
  • Framework testing by a registered IT auditor.

More information?

Michel van Gils MSc

Senior manager IT Consultancy
  •  *
  •  *
  •  *
  •  *
  •  *
  •  *
  •  *