Organizations are increasingly outsourcing business processes to service organizations. Examples of these outsourced activities are management of data centers, answering questions via external call centers and outsourcing automated data processing processes. It is trusted that the service organization has taken adequate measures to ensure undisturbed and reliable service. However, it happens that this trust is misplaced.
If you want certainty about the measures implemented at a service organization or if you as a service organization, wish to demonstrate to customers that you have the internal processes in order, you can have an ISAE 3402 Audit conducted. ISAE 3402 is a globally recognized assurance standard for outsourcing.
The ISAE 3402 standard has two types of inspections:
- Type I: This inspection focuses on the planned control measures and whether they exist in reality;
- Type II: This inspection focuses on the planned control measures and whether they exist in reality; the performance is observed over a longer period. This type of investigation provides greater certainty whether the service of a service organization can be relied upon.
When you outsource your business process, you may obtain an ISAE 3402 Type I or II certificate from the service organization. For a Type I certificate, an independent audit organization will determine, based on the documentation provided by the service organization, whether the design and existence of control measures are well implemented. For a Type II certificate, the audit organization will check if the service organization's internal control processes are in order. This will be tested by random sampling over a longer period. In the majority of cases, there is shared responsibility of business processes and organization checks will be conducted in your organization as well.
For who is the ISAE 3402 Audit intended
You have outsourced IT operations and business processes and want to have a fair degree of certainty that the service organization has the internal control of these processes in order and that the (financial) reports are reliable;
You wish to show your customers that you have the internal control of their processes in order;
Your organization operates under the Sarbanes-Oxley legislation.
You will get a reasonable assurance on the quality of internal processes and controls of the service organization;
You will get a reasonable assurance whether the service complies with the contractual agreements in the field of internal processes and controls;
The reliability of your organization towards your partners increases through certification.
After a Type I investigation, you will receive a report that describes if a service organization has documented and implemented the internal processes well in design and implementation;
After a Type II investigation, you will receive a report that describes that apart from the design, the internal processes and controls are being followed during a longer period.