IT Outsourcing

ISAE 3000 provides a framework for control over outsourced IT processes. IT developments drive rapid decline in costs and increase of productivity in organizations. Production and administration processes are increasingly automated. This development increases our dependence on information technology. Automated processes are often provided by service organizations such as SaaS-providers for software, IaaS-providers for networks and hosting providers for bare metal services. This increasing dependence on IT also increased demand over transparency and control of outsourced processes.

IT processes can be classified in accordance with the Cobit 5.0 categorization of processes; Security, IT operations, change management and incident management. If an application is outsourced to a service providers, the user organizations generally requires information on:

  • SLA management
  • Incident management
  • Change management 
  • Access controls
  • Data integrity
  • Back up and recovery 
  • Escrow

Data processed for organizations at cloud service providers can be data critical for an organization. If orders are processed by SaaS-providers or the Customer Relationship Management (CRM) application is hosted at a SaaS providers these processes might not have direct impact on the annual report. In this situation an ISAE 3000 will be sufficient. An user organizations acquires assurance that back ups are actually performed and that data will be safe in case of a bankruptcy of the service provider. 

ISAE 3000 is..

  • ..accepted by all auditors
  • the authoritative standard for outsourcing.
  • ..knows a real set of criteria.
  • an international accepted standard.

Three sections

An ISAE 3000 report consists of three sections:

  • An assurance report
  • A general description of the control framework
  • A risk/ control matrix

No specific requirements are provided for the form of an ISAE 3000 report. The separate elements of an ISAE 3000 report are provided in the standard. The form of the ISAE 3000 report is the responsibility of the service organization. The responsibility of the user service auditor is to provide assurance with this report. The service auditor should not provide detailed guidelines for the form of an ISAE 3000 report.

The General IT Controls

No specific requirements for IT controls are included in the ISAE 3000 standard. In the standard is included that information systems are part of the scope of an ISAE 3000 audit. This implies that all procedures that relate to the safe processing and storage of information are included in the scope of an audit. 

  • Controls over SLA management
  • Incident management
  • Change management 
  • Access controls
  • Data integrity controls
  • Back up and recovery 
  • Escrow


For an audit, specific requirements are applicable for the service auditor. These requirements are included in the ISAE 3000 standard. An ISAE 3000 assurance report can be issued by other professional practitioners than Certified Public Auditors. In such a case, the professional practitioner is required to provide the assurance in accordance with the similar requirements as professional auditors.

  • Ethical requirements
  • General skepticism
  • Professional standards
  • Quality control