Article

Technology Assurance & Advisory

Third-Party Assurance ISAE3402 (previously SAS70)

The purpose of an ISAE3402 review is to provide client auditors with an objective report that expresses an opinion about the control environment of a service organisation. The benefit is an objective opinion about a standardised set of objectives tested only once to minimise business disruption.

Third Party Assurance

Outsourcing is a growing trend, and companies increasingly depend on third-party providers to deliver critical services.

The purpose of an ISAE3402 review is to provide client auditors with an objective report that expresses an opinion about the control environment of a service organisation. The benefit is an objective opinion about a standardised set of objectives tested only once to minimise business disruption.

Companies often depend on many providers to deliver any number of services. Consequently, outsourcing companies are looking for third-party assurance to provide their clients with comfort about their internal control environment.

An ISAE3402 review, which provides an objective report that expresses an opinion about the control environment of a service organisation on which multiple auditors can rely. This will be based on a standardised set of objectives, tested only once in a period, which minimises business disruption and provides the ICT service provider’s clients with proactive assurance. The controls tested are typically those that will have a direct impact on the risk of material misstatement in your financial account balances

Hiring an independent service auditor to perform the review allows your organisation to be subjected to just one internal controls audit. Upon completion, the report is distributed to the service organisation’s users so that their auditors may rely upon its opinion and findings and subsequently limit or eliminate additional substantive audit procedures.

User organisations that obtain a Service Auditor's Report from their service organisation(s) receive valuable information regarding the service organisation's controls and the effectiveness of those controls. The user organisation receives a detailed description of the service organisation's controls and an independent assessment of whether the controls were placed in operation, suitably designed and operating effectively (in the case of a Type II report).

Did you find this useful?