The difference between ISAE 3402 types 1 and 2
More and more organisations, including pension funds and SaaS (Software as a Service) companies, are choosing to outsource important processes to service organisations. When an organisation does this, it wants to be sure its data is safe and that the service organisation acts responsible. Both with the data entrusted to it and in its response to any information security risks.
As a service organisation, you can put your customers’ minds at rest with an ISAE 3402 or 3000 statement. If you process your customer’s financial data, you need the ISAE 3402 statement; if not, you need the ISAE 3000 statement. In this blog, we focus on the ISAE 3402 statement - there are two types - and explain:
- what ISAE 3402 entails;
- the difference between types 1 and 2; and
- the benefits of ISAE 3402 certification.
What ISAE 3402 entails
ISAE 3402 (ISAE stands for International Standard Assurance Engagements) was developed in response to the increasing need for organisations and regulators to manage the risks involved when outsourcing processes. The ISAE 3402 gives a better insight into the outsourcing of financial processes. The difference between ISAE 3402 types 1 and 2 is explained below.
The difference between ISAE 3402 types 1 and 2
The ISAE 3402 statement can be issued in the form of a type 1 or type 2 report. Although the content of both reports is the same, the period of time they cover is different. The two types of reports are explained below.
Type 1
The ISAE 3402 type 1 report is a snapshot in time. So, it describes the process and control measures in place in your organisation at a given time. The auditor will ascertain whether the measures described are adequate and whether you have actually implemented them. In other words, he or she will establish whether you are actually doing what you say you are doing. The auditor will issue his or her opinion in an audit report.
Type 2
The type 2 audit is a more extensive audit because it covers a period of at least six months and often a whole (financial) year. The type 2 report focuses on the process and control measures in place in the period in question. Just as he or she would in the type 1 audit, the auditor assesses whether control measures are adequate. The auditor will also ascertain whether the implementation of these control measures in the period in question corresponds with the intention of the procedure. Next to that, the auditor will assess the effectiveness of the control measures during the period under review. This is something he or she does not do in the type 1 audit. The auditor will issue his or her opinion in the audit report and state the audit activities carried out.
To summarise, the most important difference between ISAE 3402 types 1 and 2 is that type 1 is a snapshot in time, while type 2 covers a longer period of time. Type 2 shows whether control measures are actually effective, which makes it more useful than a type 1 statement. A type 2 report makes effective information security far more likely.
The benefits of ISAE 3402 certification
The benefits of ISAE 3402 type 1 or 2 certification follow below:
- Your customers feels that they can safely outsource their services to you.
- The statement gives you an edge on organisations that do not have it.
- The statement is recognised internationally.
- The statement promotes the professionalisation of your organisation.