ISAE 3402 - SSAE 18 - certification for payroll and accounting studies -

ISAE 3402 and SSAE 18 WHAT ARE THEY?

ISAE is the International Standard on Assurance Engagements 3402 (ISAE 3402), and is an international assurance standard.

Interested companies can be verified by a certification body that verifies compliance with the procedures and controls set out in the ISAE standard.

Following verification by a certification body, the relevant Service Organization Control (SOC) reports are issued.

Companies subject to audit and in possession of Service Organization Control (SOC) reports can guarantee their customers that the company has adequate internal controls.

ISAE was developed by the International Auditing and Assurance Standards Board (IAASB) and is published by the International Federation of Accountants (IFAC).

ISAE 3402 WHO IS INTERESTED?

Which companies may be interested in being audited according to ISAE 3402?

companies in the information technology sector
labour consultants
auditors and companies that certify the financial statements
companies that manage administrative, tax and accounting practices as outsourcers

If these companies want to become external suppliers of multinationals (especially American ones), it is likely that these companies will be required to be audited according to ISAE 3402 and consequently to be in possession of an audit report according to ISAE 3402 issued by a third party inspection body.

ISAE 3402 REPORTS

ISAE 3402 defines two types of audit reports:

Type I: Basic level - Document a "snapshot" of the organisation's controls and verify that the system of checks and controls has been implemented for at least 6 months.

Type II: Advanced level - certifies that the controls have been managed over time and that the organisational system has been implemented and managed for at least 12 months

During the audit phase, particular attention is paid to the requirements relating to the management of privacy and business continuity.

SSAE 16 AND SSAE 18

SSAE 18 is an audit standard for companies providing services, defined by the American Institute of Certified Public Accountants (AICPA), which replaces Audit Standard Statement No. 70 (SAS 70) and replaces SSAE No. 16.

SSAE 18 reflects international standard ISAE 3402.

SSAE 18 as ISAE 3402 has two different types of reports.

SOC 1 type 1 report is a snapshot of the organisation on a given day

SOC 2 report verifies that the controls have been managed over time

Companies that have been audited according to SSAE 18 can be considered as complying with Sarbanes - Oxley requirements (section 404) and can demonstrate that they have implemented effective internal controls regarding financial reporting.

SSAE 18 as ISAE 3402 can be applied to outsourced service providers in the areas of information technology, payroll management, accounting, administration, financial data management, etc.

For certifications of the other management systems, see the page dedicated to management system certifications.