ISAE 3000 in relation to ISAE 3402

The most recent ISAE 3000 standard is issued per December 2013. The most recent ISAE 3000 standard is more detailed and prescriptive than the prior more 'conceptual' standard. ISAE 3402 has worldwide grown in popularity as a consequence of increased outsourcing to service organizations. In the ISAE 3402 standard, a reference is made to ISAE 3000; all ISAE 3402 engagements should also be performed in accordance with the ISAE 3000 standard. ISAE 3402 is focused on controls at a service organization, specifically the controls that relate to financial information of a user organization. User organizations that outsource IT processes to service organizations only, such as cloud service providers, could report in accordance with ISAE 3000, only. An ISAE 3402 is referred to as an SOC1 report in the US, an ISAE 3000 is referred to as a SOC2 report if the (AICPA) Trust Service Principles are applied.

Example I | Datacenter

A hosting provider offers rackspace and basic security controls, such as access control to the datacenter, measures against power failure and fire safety controls. User organizations that host servers in the datacenter would require the service provider to provide insight in relevant security measures and would require an external auditor to audit the procedures. If the only service provided is data processing and outsourced processes have no impact on the financial reporting of user organizations, the service provider could issue a ISAE 3000 report on the security framework.

Example II | SaaS provider

A cloud and software-as-a-service (SaaS) provider offers Microsoft Office 365 and other application hosting. If financial information is stored and processed in this datacenter, ISAE 3402 would be relevant. The auditors of the user organization need to investigate whether the General IT (including security) controls are sufficient for the service organization. In this example the report should be audited in accordance with the ISAE 3402 standard. As a consequence of the relation among ISAE 3402 and ISAE 3000, the audit should also be performed in accordance with ISAE 3000.

Service Organization Control Reports that include a description of the General IT Controls only should report in accordance with ISAE 3000 if no financial data is processed. In the assessment whether a ISAE 3000 or ISAE 3402 is relevant the question should be asked if the services provided have impact on the financial processes of the service organization. 

If only Office suites like Office 365 is provided as a service, most likely no financial data will be processed and the services will have no impact either on the financial processes of the service organization; only ISAE 3000 is relevant. If services such a PaaS are provided, the user organizations might process data on the platform. The organization should assess whether an ISAE 3402 or ISAE 3000 report will be provided. If financial data is processed, the ISAE 3000 report will have no added value for the user organization. Generally, if the controls relate to the General IT Controls only, an ISAE 3000 report might be most relevant. If financial data is processed within the framework (cloud services, application, platform) provided, ISAE 3402 is relevant. If ISAE 3402 is relevant, financial control and application controls might be relevant.

The topics included in the ISAE 3000 standard are:

Regulation and general guidelines for the auditor:
  • Ethical requirements
  • Quality control
Guidelines for the performance of the assurance engagement:
  • Engagement acceptance
  • Planning
  • Using the work of an expert
  • Obtaining evidence
Detailed descriptions for the ISAE 3000 report:
  • Documentation
  • Preparing the assurance report
ISAE 3000 audit engagements can be classified in two dimensions; reasonable assurance engagements (audit) and limited assurance engagements (review). The engagement can be classified as a attestation engagement if a party other than the auditor measures the underlying subject matter against criteria. In a direct engagement the practitioner measures the underlying subject against applicable criteria.