RAC | Your IT Sparring Partner

ISAE 3000/ 3402/ 4401

To ensure the quality of your data (and third-party data), the ISAE (International Standard for Assurance Engagements) was created. In fact, more and more organizations are outsourcing their processes to service organizations. The organizations that outsource their processes remain ultimately responsible for internal control. This raises the question of how a service organization controls processes. The ISAE answers this question. Our IT auditors all have experience in testing the ISAE framework and preparing the assessment report. 

Need more information? Then get in touch by filling out the form below or call us at 085 4000 737.

Check out the various ISAE standards below .

ISAE 3000

Often used for outsourced processes of a service organization (contractor) that have no impact on the financial processes of the user organization (client), but mainly have an impact on the operational processes of the user organization. We can assist in preparing an ISAE 3000 type 1 report (design and existence of control measures) and an ISAE 3000 type 2 report (effective operation of control measures).

ISAE 3402

Service providers are asked the questions; "How is data stored?", "How is change management handled?", "Does my supplier comply with privacy laws and regulations (AVG)? In addition to these questions, there is often a legal requirement for companies and institutions to control processes they outsource. ISAE 3402 answers the risks and challenges related to outsourcing by providing assurance on risk management and internal control.

In addition, when processes related to financial statements are outsourced, auditors require assurance of the proper execution of these processes. All accountants in the Netherlands recognize the ISAE 3402 standard and can rely on it for their annual audit.

There are two variants of ISAE 3402 reports; a Type I and a Type II report. A Type I focuses on the existence of your risk management and internal controls; a Type II also confirms the effective operation during the audit period.

ISAE 4401

Sometimes the organization does not need to obtain an opinion, but wants to gain insight into the IT risks within the company. No assurance is then requested in which case an ISAE 4401 is appropriate. The ISAE 4401 is the guideline that an IT auditor applies when he receives an assignment for specifically agreed upon work related to information technology. Such an assignment can thus cover very specific sub-areas and thus the scope is often limited and the work serves a particular purpose.