ISAE 3402: The International Standard on Assurance Engagements, “Assurance Reports on Controls at a Service Organization”, is the new global standard for assurance reporting on service organizations. What’s interesting to note about ISAE 3402 is that there are two (2) critical components that service organizations will now have to adhere to: (1). The service organization must produce a description of it’s “system”. (2). The service organization must also provide a written statement of assertion. This differs from the popular SAS 70 auditing standard where no written statement of assertion was required and a description of “controls” was only required, not a description of the “system”.
In short, expect ISAE 3402 to bring about significant changes for reporting on service organizations-due in large part to the two (2) requirements put forth by the ISAE 3402 standard itself that differ from SAS 70.
Also, SAS 70 is effectively being replaced and superseded by Statement on Standards for Attestation Engagements No. 16 (SSAE 16), with it becoming effective for reporting periods ending on or after June 15, 2011.
SSAE 16 and ISAE 3402 are essentially similar standards, with some slight technical variations. They are the convergence of auditing standards that have resulted in a more unified and transparent framework for reporting on controls at service organizations.