ISAE 3000 Audits (SOC 2)

ISAE 3000 Audits (SOC 2)

The difference between ISAE 3402 and ISAE 3000 is that, whilst an ISAE 3402 report covers a service organisation’s internal controls that are most likely relevant to a user organisation’s internal control over financial reporting, the ISAE 3000 standard covers independent assurance engagements other than audits or reviews of historical financial information. The ISAE 3000 can therefore be used to express an opinion on a service organisation’s security, availability and privacy of data as well as the processing integrity its systems.

Under the ISAE 3000 standard it is possible to express an opinion on all above principles (i.e. security, availability, privacy and processing integrity) or on only a selected one or more principles. For example, an opinion can be expressed on only privacy (e.g. compliance with POPIA and GDPR). An opinion can also be expressed on only security (e.g. compliance with ISO 27001).

The same benefits derived from obtaining an ISAE 3402 report, can also be gained by obtaining an ISAE 3000 report.


Both the ISAE 3402 (SOC 1) and ISAE 3000 (SOC 2) standards allow for the issuing of two types of reports:

Type 1 Report: This report expresses an opinion on only the design and implementation of internal controls – e.g. a design inefficiency refers to the lack of a control or a poorly designed control and / or poor implementation. The Type 1 report is normally issued the first time around – i.e. when a service organisation hasn’t obtained a SOC 1 or SOC 2 report before. The rationale behind a Type 1 report is that it allows a service organisation to first correct any poorly designed or implemented controls – before a Type 2 report is issued.

Type 2 Report: This report expresses an opinion on not only the design and implementation of internal controls, but also the effectiveness of controls – e.g. control ineffectiveness refers to an existing (well designed and implemented) control that doesn’t achieve its control objectives; i.e. it is not functioning and achieving its objectives as Management has intended it to do. The Type 2 report is the most sought after report – and can be issued after the service organisation has ensured that their controls are designed and implemented effectively (and controls had an opportunity to mature over several months).