ISAE 3402 Audits (SOC 1)
An ISAE 3402 report provides a vehicle for reporting on a service organisation’s system of internal controls that are relevant to a user organisation’s internal controls over financial reporting. ISAE 3402 reports are normally intended to be auditor-to-auditor (i.e. from service auditor to user auditor) communications. The ISAE 3402 replaced the old SAS 70 standard and report.
By obtaining an ISAE 3402 report, the service organisation can avoid multiple audits on their internal control – as user entities’ auditors may rely upon the report’s opinion and detailed findings – as issued by the service auditor. The ISAE 3402 report contains a description of the controls, control objectives, tests performed by the service auditor as well as test results – specifically included for the information of the user auditor, who, under normal circumstances, would have had to deal with the service organisation directly to identify controls, control objectives and perform tests.
WHY A BDO ISAE 3402 REPORT?
- A service organisation might want to obtain an ISAE 3402 report for marketing purposes - as it is easier to take on and retain clients if they can demonstrate that they as service provider have proper internal controls in place to mitigate risk relevant to a user entity’s financial reporting.
- For certain user organisations, again, it is a minimum requirement; i.e. their service providers must have an ISAE 3402 report before they would do business with them.
- An ISAE 3402 report, issued by BDO (as a service auditor), differentiates the service organisation from its competitors by demonstrating due diligence on the establishment of a proper internal control system over financial reporting.
- An ISAE 3402 report creates trust between the service organisation and user organisation.
- Without an ISAE 3402 report a service organisation may have to deal with multiple audit requests from its clients and their respective (user) auditors. Multiple visits from their clients’ auditors can place a strain on the service organisation's resources. An annual ISAE 3402 report ensures that all user organisations and their auditors have access to a report describing the systems of the service organisation as well as the systems of internal control.
- A user organisation who receives an ISAE 3402 report from its service provider, receives valuable information regarding the service organisation's controls and the effectiveness of those controls. The user organisation receives a detailed description of the service organisation’s controls and an independent assessment of whether or not the controls that were placed in operation, are suitably designed, and operating effectively (in the case of a Type II report).
- A user organisation should provide a service auditor's report to their own auditor (user auditor). This will greatly assist the user auditor in executing the audit of the user organisation's financial statements. Without a service auditor's report, the user organisation would likely have to incur additional costs in sending their auditors to the service organisation to perform their procedures. It therefore means reduced audit fees for the user organisation.