ISAE 3000 is the assurance standard for all audits or reviews engagements other than audits of historical financial information. ISAE 3000 is based on criteria, an auditor tests whether the information (a sustainability report or a description of the control framework) is in compliance with the relevant set of criteria. An audit provides reasonable assurance that these criteria are actually met, a review engagement provides limited assurance.

Security policy If ISAE 3000 is applied for information on the security framework of an organisation than ISAE 3000 might apply the Cobit 5.0 guidelines and best practices for the security criteria. This would imply that the security framework should be in accordance with the security principles in Cobit 5.0. The auditor should assess this. In an ISO 27001 audit the security framework (ISMS) is not tested against principles, but against the requirements in ISO 27001. This would imply that for ISAE 3000 the security policy should lead to a security objective (not losing critical data), while ISO 27001 would require to have a security policy. If this policy would not lead to the prevention of loss of critical data, the requirement of ISO 27001 would still be met.

  • Relevant Information that supports decision-making by the intended users is considered relevant
  • Complete If information is prepared in accordance with criteria it should not omit relevant factors that could affect decisions of the intended users. Criteria that are complete include benchmarks for disclosure and presentation
  • Reliability Criteria are considered consistent if different practitioners in similar circumstances would come to similar conclusions.
  • Neutrality Subject matter information that is free from bias as appropriate in the engagement circumstances is considered neutral.
  • Understandable Information that can be understood by the intended users of information is considered understandable information.

Selection criteria for an ISAE 3000 report

In ISAE 3000 no criteria are required by the standard itself. ISAE 3000 is a method for providing assurance with certain non-financial information. The criteria applied for the ISAE 3000 report can be selected or developed in a variety of ways:

  • Issued by authorized or recognized bodies, such a Solvency II or Basel II
  • Embodied in law or regulation
  • Developed collectively by a group
  • Specifically designed for the purpose of preparing the subject matter information.

The intended users should be able to understand how the subject matter has been measured or evaluated, therefore the criteria should be made available to intended users. These criteria can be made available by:

  • Publicising the criteria
  • Inclusion in the presentation of the subject matter
  • General understanding
  • Inclusion in the assurance report

Established criteria are criteria that are issued by authorized or recognized bodies of experts that follow a transparant due process. In this proces the relevant body examines whether the criteria are relevant for the users' needs.