ISAE 3402

ISAE (International Standards for Assurance Engagements) 3402 is a global assurance standard for reporting on controls at service organizations. It became effective on June 15, 2011, largely in response to the passage of the Sarbanes-Oxley Act (often referred to by the acronym SOX) in the aftermath of the Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices.

ISAE 3402 is an extension and expansion of SAS 70 (the Statement on Auditing Standards No. 70), which defined the standards an auditor must employ in order to assess the contracted internal controls of a service organization. SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) as a simplification of a set of criteria for auditing standards originally defined in 1988.

In ISAE 3402, as in its predecessor SAS 70, auditor reports are classified as either Type I or Type II. In a Type I report, the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluates the likelihood that those efforts will produce the desired future results. A Type II report includes the same information as that contained in a Type I report; in addition, the auditor attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports generally incorporate data compiled over a six-month time period.

This was last updated in March 2012

Continue Reading About ISAE 3402

Dig Deeper on Financial analytics and reporting

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

ISAE 3402 is the international equivalent of the SAS 70 standard and is developed in 2011 by the IFAC (international), ISAE 3402 is not an extension or expansion of the SAS 70 standard. An important difference between SAS 70 and ISAE 3402 is the management assertion. In which management confirms that the organization is 'in control'.
SAS 70 standard is the predecessor of the SSAE 16 standard (AICPA: US only). SSAE16 recognizes two types of reports; a SOC1 (outsourcing) and SOC2 (compliance with Trust Services Principles). The SSAE16 SOC2 report is comparable with an (international) ISAE 3000 report, although ISAE 3000 doesn't recognize a framework for IT controls. 
To summarize; SAS70 has been replaced by SSAE16 in the US and ISAE 3402 and ISAE 3000 international. All new standards require a management assertion. For more information please see the ISAE 3000 register or the ISAE 3402 register.