10 years of ISAE 3402

Third-Party Assurance has been hot for a while already

This year marks 10 years since ISAE 3402 third party assurance for service organizations was announced. As many of you know, ISAE 3402 has an illustrious predecessor: the SAS70 standard that was applied since the late 1970s. Though very successful, in the end, it could not meet the increasingly complex expectations of its users anymore.

SAS70 paved the way for ISAE 3402.

A running start for ISAE 3402

With the exploding growth of the outsourcing industry, SAS70 was a unique and valuable feature that allowed your organization to distinguish itself from its competitors. However, prompted by some large accounting scandals, the ‘in control’ standard, which lies at the heart of SAS70, was just not satisfactory anymore. It was ineffective as an audit standard because it left too much latitude openings in presenting desired results.

Harshly said, under SAS70 it seemed possible to report according to a protocol that could be met by the servicer, irrespective of actual risk present in operations.

‘Assurance’ versus ‘audit’

ISAE 3402 eliminates this deficiency: its core is built around providing assurance and not around performing an audit. This requires the auditor to perform work in such a way that there is reasonable assurance about the design and operating effectiveness of the servicer control framework, all given the risk profile of the servicer. In addition, management is required to show commitment by a management assertion that addresses responsibility for the description of the service organization’s system.

ISAE 3402 requires commitment from both auditor and management.

The best there is?

With these improvements, ISAE 3402 should be the proof a user organization is looking for, just like SAS70 was in its era. However, in my everyday experience, both user and service organizations have noticed some unwelcome effects and shortcomings. Some relate to expectations, while others relate to costs, efficiency, and significance. Some of this dissatisfaction is caused by unfamiliarity. With increasing awareness of the new standard, users’ expectations have been more realistic and they have come to appreciate the benefits of ISAE 3402.

Whether you are a user organization or a service organization: it all starts with expectations.

Join the survey

Do you want to share some of your experiences and expectations about ISAE 3402 with us? We created a brief survey that only takes a few minutes to complete. Just click here. Your feedback is appreciated very much. We will be following-up with results and insights.

Want to know more about outsourcing and ISAE 3402?

Contact wim.krechting@bizzenze.com or give me a call at +316 4178 0569.