ISAE 3402
International Standard on Assurance Engagements 3402 , titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that prescribes Service Organization Control reports, which gives assurance to an organisation's customers and service users that the service organisation has adequate internal controls. ISAE 3402 was developed by the International Auditing and Assurance Standards Board and is published by the International Federation of Accountants. It was first published in December 2009 with an effective date of June 15, 2011. It supersedes SAS 70 and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls. It is also known as "Internal Control Framework over Financial Reporting". The approach is from a financial reporting perspective. The ISAE 3000 is a standard for assurance for all other non-financial purposes. In SOC terms, ISAE 3402 is a SOC 1.
ISAE 3402 defines two kinds of reports:
- Type I: Documenting a "snapshot" of the organisation's controls
- Type II: Documenting over a period of time showing controls have been managed over time.