ISAE 3402 & #8211; Seal of Compliance and Trust
* By Sabrina Lopes & #8211; Security Consultant [SAFEWAY]
O ISAE 3402 is an international standard created on June 15, 2011 to replace the SAS70. This standard was developed by AICPA and recommended by two major international organizations, such as IAASB and IFAC.
In Brazil, based on the international standard, the Federal Accounting Council (CFC) approved NBC TO 3402, which is a Brazilian accounting standard for control assurance reporting in a service organization, which advises the independent auditor on the issuance of a report that ensures the effectiveness of the controls adopted.
Among the information required for issuing the report, we can cite:
• Description of controls adopted, based on policies and procedures that are designed, implemented and should be documented;
• Definition of process that identifies the risks that the business is exposed to and that may impact the achievement of the objectives defined by the organization;
• Guarantee the effectiveness of controls;
The reports provided by the ISAE 3402 enable companies to outsource and ensure the continued reliability of their service providers.
This standard certifies compliance of reporting processes and financial controls of service organizations, such as:
- Hosted data centers;
- Application service providers (ASPs); and
- Managed Security Providers.
To document the evaluated environment there are two report templates:
- The model named TYPE I, has the function of validating the existence of activities of controls and processes.
- The model called TYPE II validates and guarantees the existence of controls and processes, ensuring through tests, their effectiveness and effectiveness. The evaluation process extends to verification of security levels, availability, processing integrity, confidentiality and privacy.
The benefits of certification in ISAE 3402 are:
- Identification and monitoring of inherent business risks to avoid fraud;
- Creation of mechanisms capable of quickly identifying illicit activities;
- Avoid multiple customer audits;
- Improve company image compared to competitors particularly because diagnostics are performed through recognized auditors.
Due to the crisis of confidence that disturbs the economic system and the increase in service activity, the development of control assurance reports in service organizations has increased in recent years. It is important for service organizations to provide their customers with a statement of confidence in control management.
O ISAE 3402 It has been used as a form of “Seal” provided to its customers and recognized worldwide as a quality label for a service organization.
To be in compliance with the ISAE 3402 It makes the service provider a differentiator in its field, offering confidence to customers and stakeholders, and can be a facilitator in obtaining other certifications, such as: ISO and / or SOX.
Want to get a spreadsheet with all the controls required by ISAE 3402?
sign up by the link in our Information Security and Cybersecurity Group and receive every Friday exclusive content, threat reports, current research on topics pre-selected by our Security consultants and strategic partners. And immediately in your email the ISAE 3402 controls spreadsheet for a first assessment of your business.