ISAE 3000 is the assurance standard for compliance, sustainability and outsourcing audits. ISAE 3000 deals with assurance of non-financial information. Service Organization Control Reports in accordance with certain criteria (Trust Service Principles/ sustainability guidelines) without impact on financial information should be audited in accordance with the ISAE 3000 standard. Outsourced services with impact on financial information of the user organization should be audited in accordance with ISAE 3402. The ISAE 3402 standard is subject to the requirements of ISAE 3000.

ISAE 3000 and Outsourcing

Service organizations provide services to a user organizations. The user organization has outsourced services. For the user organization is relevant how the service organization deals with security, privacy or fraud. If the service organization processes financial information for the user organization, ISAE 3402 is relevant. If no financial information is processed, ISAE 3000 might be relevant. If the user organization requires transparency on security procedures, the service organization might provide a service organization control report or SOC2 report.  

Cloud Services and ISAE 3000

The application- and cloud services industry has grown in the past years. Software might be provided by SaaS (software-as-a-service-providers) and data is increasingly stored by cloud service providers (data centers). This growth of the outsourcing industry increased the demand over assurance and transparency of these services. User organization required information from service providers whether data is backed up properly and whether unauthorized access to critical data is  not possible.

ISAE 3000 report

Service organization report on these aspects by an ISAE 3000 report containing information on the internal processes and controls at the service organization. The ISAE 3000 report is audited by professional audit firms to provide assurance that the controls included are actually in place and operate effectively.

Example. outsourcing

A Software-As-A-Service provider (SaaS-provider) hosts applications for the government (the user organization). The information processed in applications has no impact on financial reporting procedures. The government requires the SaaS-provider to report on the effective operation of security measures. The service organization control report provided by the SaaS provider will be audited by a professional accountant (CPA) in accordance with the ISAE 3000 standard. The service auditor states in the assurance report that the security measures exist (type I) and operate effectively (type II). If the information processed in the applications has impact on financial information (e.g. annual report), ISAE 3402 would be applicable.

Example. sustainability reporting

A large retailer reports on sustainability. The criteria for sustainability and social responsibility are required by local government. An external auditor provides assurance with the sustainability reporting considering the criteria provided by government. Assurance is provided in accordance with the ISAE 3000 standard.

The users of the sustainability report know that the information in the report is accurate and all information is included. They also know that the information provided is in compliance with the relevant standards.

What are the requirements of ISAE 3000?

The requirements are included in the standard, which can be downloaded from the IFAC website. The standard includes the following components:

  • Ethical requirements
  • Required planning and audit procedures
  • Reporting requirements
  • Quality requirements
  • professional skepticism

Accredited auditors

ISAE 3000 requires the auditor to comply with ethical requirements (IESBA code), to apply Quality Control procedures and to be competent to perform the ISAE 3000 assurance engagement.

Type I and Type II

ISAE 3000 recognizes two type of reports; a type I report containing the control framework at a specific moment and a type II report that describes the operational effectiveness of the control framework for a period of six months. For a type I report an external CPA audits the controls on suitability of design and existence of the controls described. The external auditor reports also on operating effectiveness of the control framework for a predetermined period  of minimum 6 months.