What is a ISAE 3402?
International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting.
Applicability
ISAE 3402 is generally applicable if an independent auditor (“user auditor”) is planning the financial statement audit of a user organization that obtains services from other organizations (“service organization”). The report will be audited by a ISAE 3402 auditor (specialized service auditor). The service auditor reports to the independent auditor in accordance to ISAE 3402 on the operating effectives of procedures and controls, relevant for annual reporting.
Objective
The objective of ISAE 3402 is to:
- Set internal controls of a service organization
- Give quality criterion for service providers that distinguishes them from competitors.
- Protect shareholders and the general public from accounting errors and fraudulent practices
- Provide reasonable assurance that physical access to system data and functions is properly authorized and administered.
- Provide reasonable assurance that critical information technology infrastructure is protected from certain environmental threats.
Approach
Our approach has been covered in the following phases. It includes:
- Risk Assessment
The first step to documenting internal controls is to conduct a risk assessment. Understanding your risks will help you to understand what controls you have or need to mitigate the risk. - Establish A Control Framework
Establish the framework for your internal controls w.r.t ISAE 3402, the key processes to mitigating a potential risk, the objectives of the control, the requirements must be in place for you to control the situation effectively. - Document The Control Activity
The programmatic steps taken to achieve the goals of your internal controls. - Test Control Effectiveness
A strong part of robust internal controls is testing to assure it is effective at preventing security incidents. - Reporting
- Certification
Why CyberSRC®?
Established in January 2018, CyberSRC® Consultancy offers the full machination of cyber security services ranging from threat intelligence, VMS to general advisory services in areas pertaining to Cyber security such as vulnerability attacks, compliance, and cyber security regulations, and laws. We are into system audits such as ISNP Audits, NBFC Audits, UCB Audits, PPI Audits, and SEBI Audits. We provide our solutions with better accountability. We are a certified assurance firm. We are an ISO 27001 certified organization, backed by a very diverse and dynamic team which have a combined experience.