Internal control encompasses the set of measures through which an organization aims to achieve its objectives within constraints such as costs and compliance with agreements. When a significant business process is outsourced, an organization naturally wants to ensure that its organizational objectives are still being met. In this regard, an organization can request reports from the supplier.

ISAE 3000 versus ISAE 3402

The International Standards on Assurance Engagements (ISAE) have a broad scope and relate to internal control. The outsourcing of services gained momentum with the rise of the internet in the early 1990s. At that time, there was only an American guideline for accountants of service organizations to prepare a report that allowed auditors from user organizations to perform their financial statement audit without visiting the service organization itself. The report solely focused on the reliability of data processing at the service organization because the primary objective of financial statement audit is to provide an opinion on the true and fair view of the financial statements. The ISAE 3402 guideline currently serves this purpose.

However, there is also interest in reports on the service provision of service organizations from parties other than auditors conducting financial statement audits. For example, user organizations that want to be informed about the quality of service provided by hosting providers or SaaS vendors. Additionally, in procurement processes, there is an increasing demand for proof from an independent auditor that the service provision meets sufficient quality criteria. Besides reliability, other quality aspects are often taken into account, such as continuity and confidentiality of data processing. For these types of examinations, the (less stringent) ISAE 3000 guideline should be used.

SOC 1 versus SOC 2

However, the ISAE guidelines do not provide frameworks against which the auditor can perform their assessment. Requiring an ISAE report without specifying the framework to be used would be meaningless. Commonly used frameworks are those related to Service Organization Controls (SOC).

The standard SOC 1, originating from the USA, was developed by the Association of International Certified Professional Accountants (AICPA). SOC 1 is essentially intended to be used by the auditor of the service organization conducting an examination and preparing reports for the auditors of the financial statements of user organizations. SOC 1 does not have a predefined framework of criteria. This should be established by the auditor of the service organization based on a risk analysis. SOC 1 is closely linked to the ISAE 3402 guideline.

SOC 2 was also developed by the AICPA and provides a predefined framework of criteria with 13 possible control objectives that can be achieved through 61 control measures. SOC 2 is intended and suitable for hosting providers, SaaS vendors and data centers, among others. The control objectives, also known as Trust Service Criteria, include:

  • Control environment
  • Communication and information
  • Risk assessment
  • Monitoring activities
  • Controls
  • Logical and physical access security
  • System operations
  • Change management
  • Risk mitigation
  • Availability
  • Confidentiality
  • Processing integrity
  • Privacy

Not all control objectives are mandatory. Control objectives that are not applicable can be excluded. SOC 2 examinations should be conducted using the ISAE 3000 guideline.

Type I versus Type II

Depending on the level of assurance required by the (auditor of the) customer of the service organization, there are two types of examinations or reports:

  • Type I: This involves examining the design of the internal controls of a service organization, the suitability of the criteria (system of standards) and the implementation of these criteria.
  • Type II: This involves examining the design of the internal controls of a service organization, the suitability of the criteria (system of standards) and the operational effectiveness of these criteria.

The main difference between Type I and Type II examinations is that a Type I report is issued as of a specific date, for example, the achievement of control objectives on December 31. A Type II report is issued for a reporting period, for example, the achievement of control objectives for the period from January 1 to December 31. It is reasonable to assume that a Type II report has more value for the customer than a Type I report. Type I reports are also less frequently issued than Type II reports and are usually used once by the service organization to familiarize themselves with this type of examination.

For more information

If you would like to know more about ISAE guidelines and/or SOC reports, please feel free to contact us.