ISAE 3402, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC), is the globally accepted standard for assurance reporting on controls for service organizations.
NDNB also provides ISAE 3402 Type 1 reporting services for service organizations, which is known as the “Report on the description and design of controls at a service organization". And much like the SSAE 16 standard, an ISAE 3402 Type 1 report would included the following content:
- A description of the service organizations “system”.
- A written assertion from the service organization regarding the fair presentation of the system as designed and implemented as at the specified date, and that the controls related to the control objectives stated in the description of the system were suitably designed as at the specified date.
- A service auditor’s assurance report.
Thus, management of the service organization will need to pay careful attention to the new reporting requirements for ISAE 3402, particularly that of the description of its "system" along with the written assertion. If your organization has undertaken SAS 70 Type 1 or SAS 70 Type 2 compliance in the past, which called for a description of "controls", you will now need to ensure that you have a comprehensive understanding of what's needed for developing a description of one's "system" in accordance with the SSAE 18 standard.
Some service organizations may find subtle changes are only needed, while others may have to spend considerable time in developing their description of its "system". Because of these new reporting requirements, service organizations would highly benefit from an ISAE 3402 readiness assessment, performed by a competent, well-qualified CPA firm.