International Standard on Assurance Engagements 3402 (ISAE 3402) , titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that prescribes Service Organization Control (SOC) reports, which gives assurance to an organisation's customers and service users that the service organisation has adequate internal controls.[1] ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB) and is published by the International Federation of Accountants (IFAC). It was first published in December 2009 [2] with an effective date of June 15, 2011.[3] It supersedes and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls.[4] It is also known as "Internal Control Framework over Financial Reporting" (ICFR)[citation needed]. The approach is from a financial reporting perspective. The ISAE 3000 is a standard for assurance for all other non-financial purposes. In SOC terms, ISAE 3402 is a SOC 1.

ISAE 3402 defines two kinds of reports:

  • Type I: Documenting a "snapshot" of the organisation's controls
  • Type II: Documenting over a period of time (typically 6 months) showing controls have been managed over time.[5]

See also

External links


  1. ^ "ISAE 3402 Services". A-LIGN. Retrieved 10 May 2015.
  2. ^ "Common Myths of Service Organization Controls (SOC) Reports". ISACA. 1 March 2013. Retrieved 17 February 2020.
  3. ^ "ISAE 3402 Assurance Reports on Controls at a Service Organization" (PDF). International Federation of Accountants (IFAC). Retrieved 17 February 2020.
  4. ^ "ISAE 3402". ICC. Retrieved 9 May 2018.
  5. ^ "Service organization control (SOC) reports". Retrieved 10 May 2015.