The evolution of technology and its increased use has led businesses around the world to become more interconnected and interdependent of one another than ever before. Companies of all sizes can now easily reach and serve organizations around the globe, rather than just their region or country. As services provided by service organizations are increasingly supported by underlying IT systems, the need for users to obtain assurance as to the security and reliability of those services has risen.
Examinations of system and organization controls (SOC) have become the standard for evaluating and providing assurance for service organizations’ controls. Specifically, SOC 1 examinations (formerly called SSAE 16 or SAS 70) for internal controls over financial reporting and SOC 2 examinations for evaluating compliance with the Trust Services Criteria. Determining how to provide such assurance can be a little more complicated when a service organization operates internationally.
As organizations search for options to fulfill domestic and international standards, a number of questions arise. Some of the most commonly searched questions include:
- What does ISAE 3402 stand for?
- Who does ISAE 3402 apply to?
- Is ISAE 3402 the same as SOC 1?
- Is ISAE 3402 the same as SOC 2?
- What are attestation standards?
- What is the purpose of the AICPA standards for attestation engagement?
This post will address these questions as it provides some guidance that may be applied when determining how to address competing compliance needs of domestic and international clients.
What Organizations Set International Standards Audits?
The International Audit and Assurance Standards Board (IAASB) issues standards for auditing, assurance, and quality control. Originally formed in 1978, the aim of the IAASB is to provide standards for audit and assurance services around the globe to strengthen public confidence in the industry. The IAASB’s operations are supported by the International Federation of Accountants (IFAC). IFAC’s 179 members hail from over 130 different countries and jurisdictions and represent roughly 2.5 million practicing accounts. The IAASB’s specific objectives include the following:
- Increase the emphasis on emerging issues to ensure that the IAASB International Standards provide a foundation for high-quality audit, assurance, and related services engagements
- Innovate the IAASB’s ways of working to strengthen and broaden our agility, capabilities, and capacity to do the right work at the right time
- Maintain and deepen relationships with stakeholders to achieve globally relevant, progressive, and operable standards
With the support of the members of the IFAC, IAASB sets, monitors, and updates international standards as necessary.
What International Standards are Applicable to SOC Audits?
International standards for audit activities issued by the IAASB and IFAC are called International Standards on Assurance Engagements (ISAE). ISAE 3000, the International Framework for Assurance Engagements, and ISAE 3402, Assurance Report on Controls at a Service Organization, are the two international standards that apply to SOC examinations. As the related titles suggest, ISAE 3000 is the overarching international guidance for performing any kind of assurance engagements. ISAE 3402, which falls under ISAE 3000, is specific to service organization engagements.
When comparing these standards to the different SOC assessments, ISAE 3000 is applicable to both SOC 1 and SOC 2 assessments. However, ISAE 3402 is only applicable to SOC 1 examinations.
Can I Combine a SOC 1 or SOC 2 Report with ISAE 3000 or 3402?
The performance of SOC examinations and preparation of the corresponding reports are governed by the American Institute of Certified Accountants (AICPA) Attestation Standards. The IAASB uses ISAE 3000 and ISAE 3402 to govern international examinations. So, can the two be combined into one audit and documented in one report? Or do you have two separate examinations and reports?
Yes, according to AICPA guidance, you can have a single examination that covers both the AICPA and IAASB standards. For a SOC 1 / ISAE 3402 report, a U.S. CPA firm will need to follow the AICPA requirements in both the SSAE 18 AT-C sections 105, 205, and 320 as well as those in ISAE 3402. While there is significant overlap between the two sets of standards, they do not perfectly align. Some of the requirements excluded from ISAE 3402 are required for CPA firms to comply with the AICPA’s Code of Professional Conduct. Thus, a U.S. CPA firm may not only perform an ISAE 3402 assessment.
I will not bore you with the details of comparing ISAE 3402 vs SOC 1 reports or ISAE 3000 vs SOC 2. However, what I will say is that these are the right comparisons to make:
- A SOC 1 examination may be performed in accordance with ISAE 3402; and
- A SOC 2 assessment may be performed in accordance with ISAE 3000.
How Do I Know What Report I Need To Provide?
Chances are, if you are reading this, you have been obtaining a SOC 1 or SOC 2 report for your organization for some time now. However, you have recently received a request from an international client for an ISAE 3402 report. Because these combined reports are relatively uncommon and most individuals are familiar with only one of the sets of standards, there are a variety of ways a client may choose to word this request. The request for this combined report may have come in several sequences. Some of those that we’ve seen include:
- SOC 1 ISAE 3402 report
- SSAE 18 + ISAE 3402 report
- SSAE 16 + ISAE 3402 report
- ISAE SOC 2 report
- SOC 2 ISAE report
- SOC 2 ISAE 3402 report
- SOC 2 ISAE 3402 AICPA report
- SOC 2 report ISAE 3402
- SOC 2 ISAE 3000 report
- SOC 2 3000 AICPA report
Whether or not their request is worded appropriately, it is safe to say that they are requesting a SOC 1 report that has been prepared in accordance with ISAE 3402 and ISAE 3000 or a SOC 2 report that has been prepared in accordance with ISAE 3000.
If you have been providing SOC 1 reports for your U.S. clients, it is likely that a SOC 1 / ISAE 3402 report is what you need. Similar logic would apply if you have been getting and providing SOC 2 reports historically. Chances are your international clients are looking for the same level of assurance as your domestic clients require.
If you have not obtained a SOC 1 or SOC 2 report in the past and you are getting a request for a SOC and ISAE report, hopefully, the following is helpful. Your client is likely requesting a SOC 1 / ISAE 3402 report if their request has SOC 1, SSAE 18, or SSAE 16 and ISAE, 3402, 3000, or a combination of those three in the request. You should get further clarification from your client if their request has SOC 2 and ISAE 3402 in it. They are obviously unfamiliar with one or both sets of standards. So, a brief discussion should help clarify what they need.
If it is a first-time request for your organization, you will also want to clarify what type of report (Type I or Type II) you will need to provide. Read our post about the types of SOC reports to learn more.
Do You Need Assistance with a SOC / ISAE Report?
If you are in need of a SOC / ISAE report and need assistance in deciding what report is right for your organization, please contact us at Linford & Company. We have a team of IT audit professionals that specialize in performing SOC 1 audits (f. SAS 70 / SSAE 16), and SOC 2 audits on behalf of service organizations all over the world. We are here to answer any questions you may have to effectively address your audit needs and assist you in achieving SOC compliance.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.