Our services
ISAE 3402
Assurance reporting for service organisations that perform financial or administrative processes for their clients.
What is ISAE 3402 exactly?
ISAE 3402 is an international standard aimed at organisations that perform financial or administrative processes for their clients, such as payroll processing, pension administration, or cloud services that affect financial reporting.
Contrary to what is often thought, ISAE 3402 is not a certificate but an audit standard that results in an assurance report (audit report). This report indicates whether the internal controls of a service organisation are sufficiently effective and reliable.
In short:
- International standard for service organisations that outsource or perform financial processes.
- ISAE 3402 delivers an audit report (not a certification).
- Focuses on internal controls relevant to clients’ financial reporting.
- Internationally recognised and aligns with the US SOC 1 framework.
Why obtain an ISAE 3402 report?
Obtaining an ISAE 3402 statement is not a legally required certification, but it is increasingly requested by clients, regulators, or business partners. An ISAE 3402 report has several benefits:
Trust and assurance for clients and regulators
With an ISAE 3402 statement, you demonstrate that your organisation runs reliable and well-controlled processes that meet legal requirements and contractual obligations. This directly increases the trust of clients, suppliers, and regulators.
Optimal internal control
Through an ISAE 3402 audit, you gain insight into the effectiveness of your internal processes and controls. This improves your risk management and allows you to address any weaknesses in good time.
Competitive advantage in tenders and procurement
Companies that hold an ISAE 3402 statement have a significant advantage in procurement and contract negotiations, especially in sectors such as financial services, cloud computing, and administration.
Type I and Type II statements: what is the difference?
Within the ISAE 3402 standard we distinguish two types of statements: Type I and Type II.
ISAE 3402 Type I statement
A Type I statement is intended to confirm that your controls are properly designed at a specific point in time. Think of it as a ‘snapshot’: this report says something about the design and existence of internal controls, but does not yet assess their operation over a longer period. Useful as a first step to quickly demonstrate that you have the right controls in place.
ISAE 3402 Type II statement
A Type II statement assesses not only the design and existence but also the operating effectiveness of the controls, usually over a period of six to twelve months. This report provides significantly more assurance to clients and auditors. This is the follow-up to a Type I statement when you want to provide additional assurance about the actual operation of the measures taken.
How does an ISAE 3402 process work?
Intake
Together we determine which processes fall within the scope of the ISAE 3402 audit and clearly document your expectations and objectives.
Kick-off
We organise a kick-off session with those involved in which we explain the full process, timeline, and division of roles.
Self-assessment
With our guidance, you perform an initial assessment of your internal controls. This immediately shows where any bottlenecks lie.
(Optional) Pre-audit
We can perform an optional pre-audit, for example when your organisation is obtaining an ISAE 3402 statement for the first time. This allows us to identify points of attention early and gives you time to address them before the formal audit.
Testing of controls
Through interviews, document reviews, and sampling we test whether your internal controls are adequate to achieve the stated control objectives.
Drafting the report
We prepare the audit report in accordance with NOREA guidelines.
Alignment of results
We discuss the results with your team, explain any areas for improvement, and answer questions.
(Optional) Implementation of improvements
Where necessary, you (or an external party) implement the improvements. We can advise on this but do not perform this ourselves in order to maintain our independent audit position.
Final ISAE 3402 statement
After completion and any verification of improvements, we deliver the final ISAE 3402 statement.
What does an ISAE 3402 statement cost approximately?
| Complexity of services | Description | Estimate Type I | Estimate Type II |
|---|---|---|---|
| Low | <25 controls | €7,500 – €9,000 | €8,500 – €10,500 |
| Medium | ~35 controls | €10,000 – €20,000 | €11,500 – €23,000 |
| High | >50 controls | €25,000 – €45,000 | €28,000 – €52,000 |
Determining the exact cost of an ISAE 3402 audit is difficult without a good understanding of the environment. Every organisation is unique in its processes, controls, and maturity of internal controls. Factors such as the number of locations, type of services, outsourced work, and the level of documentation have a major impact on the audit effort required.
Based on our experience with dozens of audits across various sectors, the above estimate is a good starting point. These amounts are indicative and help you form an initial picture of the investment required for both a Type I and Type II statement.
Interested in an ISAE 3402 statement?
Contact us for a no-obligation discussion about the options for your organisation.
Get in touch