Organizations are increasingly outsourcing business processes to service organizations. Examples of these outsourced activities are management of data centers, answering questions via external call centers and outsourcing automated data processing processes. It is trusted that the service organization has taken adequate measures to ensure undisturbed and reliable service. However, it happens that this trust is misplaced.
If you want certainty about the measures implemented at a service organization or if you as a service organization, wish to demonstrate to customers that you have the internal processes in order, you can have an ISAE 3402 Audit conducted. ISAE 3402 is a globally recognized assurance standard for outsourcing.
The ISAE 3402 standard has two types of inspections:
When you outsource your business process, you may obtain an ISAE 3402 Type I or II certificate from the service organization. For a Type I certificate, an independent audit organization will determine, based on the documentation provided by the service organization, whether the design and existence of control measures are well implemented. For a Type II certificate, the audit organization will check if the service organization's internal control processes are in order. This will be tested by random sampling over a longer period. In the majority of cases, there is shared responsibility of business processes and organization checks will be conducted in your organization as well.