An ISAE 3402 Type 2 report is known as the “Report on the description, design and operating effectiveness of controls at a service organization". As such, an ISAE 3402 Type 2 Report will contain the following:
- A description of the service organizations “system”.
- A written assertion from the service organization regarding the fair presentation of the system as designed and implemented throughout the specified period, and that the controls related to the control objectives stated in the description of the system were suitably designed throughout the specified period and operated effectively throughout the specified period.
- A service auditor’s assurance report
Please keep in mind that if your organization has previously achieved SAS 70 or SOC 1 SSAE 16 Type 1 or Type 2 compliance, the new ISAE 3402 standard will require a description of a service organization's "system" as opposed to the now defunct SAS 70 (and SSAE 16) standard, which called for a description of "controls". The differences may be subtle for some entities, however, it may also cause a large number of service organizations to spend considerable time and effort in developing one's description of its "system".
Thus, it is highly recommended that service organizations undertake an ISAE 3402 Readiness Assessment for properly understanding the changes brought about by the new global standard on assurance reporting. The two most commonly discussed differences from the previous SAS 70 auditing standard-(1). A service organization's description of its "system" and (2) the written assertion provided by management-are well-known, but there also a number of other critical issues that service organizations also need to be aware of concerning ISAE 3402.
To learn more about ISAE 3402 Type 2 reports, contact a well-qualified CPA firm to help assist your organization in achieving ISAE 3402 compliance. Contact Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to receive a competitive, fixed fee for all your SOC 1 SSAE 16 and SOC 2 compliance needs.