ISAE 3402


Third Party Assurance Services

Our team consists of experts in supplier governance and assurance along with experts in the various forms of attestation standard methodologies. We team with our subject matter experts from our IT Audit, Cyber Security, Financial Audit, Legal and industry groups to provide a flexible team structure that allows us to meet the needs of a variety of engagements.

Each engagement can require its own set of competencies based on the scope of services to be covered and the technologies involved. With our team's flexibility, we are able to provide our services to a wide variety of customers in many industries and with many complex IT configurations.

Our Third Party Assurance (TPA) services group has extensive experience in providing governance and internal control related services to both sides of the customer / supplier equation.

  • Customer side: we assist customers in developing their Supplier Governance Programs and accompanying governing policies, we perform supplier audits and we review supplier provided assurance reports.
  • Supplier side: We help suppliers (e.g., managed IT services, SaaS providers, accounting, payroll or other financial transaction processing, etc.) in developing and issuing a variety of attestation reports (e.g., ISAE3402 / SOC1, SOC2, ISAE3000, GDPR attestation).

Our TPA services focus on two fundamental areas, Supplier Governance and Assurance and Supplier attestation.

IT Supplier Governance and Assurance

We have assisted companies in developing risk based supplier evaluation programs and in executing supplier audits. This is generally done either as part of an effort to increase confidence in vendor relationships or in evaluating a company’s own internal supplier governance standards and evaluation programs.

Some of the uses for these services we have seen include:

  • Evaluating adequacy of Vendor Governance Policies and enforcement programs
  • Developing and executing annual vendor audit programs for internal audit
  • Developing supplier profiling programs to establish risk profiles used to, for example, set thresholds for GDPR liability or in renegotiating contracts

Supplier attestation

We have extensive experience in assisting suppliers of services such as managed IT Services, Software as a Service (SaaS), accounting service and payroll processing providers, and data center management providers in preparing for, designing and issuing third party attestation reports.

Our services include:

  • Gap analysis programs for ISAE3402 / SOC1, SOC 2 and GDPR attestations
  • ISAE3402 / SOC1 readiness and reporting
  • SOC2 readiness and reporting
  • GDPR attestation readiness and reporting (See brochure on this page)
  • ISAE3000 based attestation engagements
  • Streamlining TPA reporting activities to realize efficiencies / cost savings

Our team

Our TPA team consists of experts in supplier governance (from and internal control perspective) and in performing numerous vendor evaluations across the globe.

We also have extensive experience with the various attestation standards (e.g., ISAE 3402 / SOC 1, SOC 2, ISAE3000, ISRS4400). We issue many attestation reports for some of Norway’s largest IT service suppliers.

We team with our IT Audit, Cyber Security, Financial Audit, Legal and industry experts to ensure that we have the right competence to match the needs of each engagement. With this flexibility, we can provide attestation services to a wide variety of suppliers in many branches.

Click on the links on this page to download our service brochures and TPA-related articles by our TPA subject matter experts.

Nordic cooperation with global reach

Our Nordic TPA team consists of more than 85 professionals, including TPA methodology and standard experts and subject matter experts from our IT audit, Cyber Security, Financial Audit, Legal and Consulting departments.

We provide TPA services to more than 100 clients in the region, producing more than 190 individual TPA reports annually.

We work together to assemble the right team for each engagement to ensure that we deliver the quality and capacity that TPA engagements require. We share templates, best practice tools and our experience with each other in order to ensure that we deliver quality efficiently.


Kevin McCloskey

Kevin McCloskey


Kevin McCloskey er Director i Risk Advisory.... Mer