Do you run a hosting platform, IT operations, payroll system, financial system or other outsourcing service?
ISAE 3402 - documenting your internal controls as a supplier
Do you run a hosting platform, IT operations, payroll system, financial system or other outsourcing service?
Then your customers will expect - or demand - that you can demonstrate that you have internal controls in place. You can do this with an ISAE 3402 statement.
What is an ISAE 3402 statement?
ISAE 3402 is an international standard for auditor's statements on controls at service providers, such as IT operations, data processing or outsourcing.
It is used to document that you have established and implemented controls that ensure operational security, access management, logging, data security and more.
When is ISAE 3402 relevant?
- When you provide systems or processes that handle data or tasks for other companies
- When customers ask for or require documentation of your security and controls
- When working with compliance in regulated industries (e.g. finance, healthcare, HR)
- When you want to strengthen your trust and position in the market
Do you need to get ready?
We help you review your controls and processes - and identify what needs to be in place to achieve an ISAE 3402 statement.
Read more about our consulting services here
Ready to get your ISAE 3402 statement ready?
We carry out the audit and prepare the declaration - typically as Type 1 or Type 2 - depending on your needs and maturity.
Read more about our declarations here
Tool: Lexoforms
Lexoforms can support the documentation of your processes and controls - for example, by gathering documentation and follow-up in one place.
Frequently asked questions (FAQ)
What is the difference between ISAE 3402 Type 1 and Type 2?
- Type 1 assesses whether the controls have been designed and implemented correctly at a point in time.
- Type 2 also assesses whether they have worked effectively in practice over a period of time (typically 6-12 months).
Do all service providers need an ISAE 3402?
No - but it is increasingly expected in industries where outsourcing involves sensitive data, system critical function or regulated customers.
Can ISAE 3402 be combined with ISAE 3000?
Yes - it is possible to combine declarations if you also handle GDPR or information security for customers, for example.
Contact us - and get started with your ISAE 3402 declaration
We have experience with a wide range of service companies and know what it takes.
We guide you every step of the way - from initial assessment to final declaration.
Contact Simon
-
Simon Okkels
Simon Okkels is a Certified Information Systems Auditor (CISA®) - a global certification that guarantees deep knowledge of audit processes, reporting and compliance procedures within IT auditing and IT and information security.
Contact John
-
John Richardt Søbjærg
John Søbjærg is a state-authorized public accountant with in-depth knowledge of small and medium-sized companies in many industries. He has many years of experience in advising companies and issuing auditor's reports.
Contact Rasmus
-
Rasmus Lykke Sørensen
We are always ready to meet
Let's have a no-obligation conversation about what you and your business need and what we can offer. Just fill in the fields in the form and we will contact you shortly.
You are also welcome to call us at +45 39 53 50 00 or send an email to
Employees
140
Customers
3900
Revenue
+150 million
Year of establishment
1986
