ISAE 3402, PS 951 - How these standards save money in annual financial statements

Challenges when outsourcing accounting-related processes

When a company outsources accounting-related processes, it must ensure that an appropriate internal control system and risk management are in place and effective. This applies not only to the company itself but also to the outsourced functions at the service provider.

If these processes become the subject of an annual audit, the question arises for the outsourcing company and its auditors as to how the internal controls at the service provider can be audited - for example, through an on-site audit of the service provider's service-related internal control system by the auditors. However, this is very time-consuming and expensive.

ISAE 3402: Uniform standards for the audit of internal controls at service providers

Now, it is the case that service providers such as Claranet generally serve not just one client, but a large number of clients, which in turn are audited by different audit firms. As a consequence, this would mean that an audit of the service provider's service-related internal control system would have to be carried out regularly for each client and each auditing firm, which is currently also the case for individual service providers. An unsatisfactory situation overall for both sides.

The responsible international bodies have recognised this problem and the International Auditing and Assurance Standards Board (IAASB) published the International Standard on Assurance Engagements No. 3402 (ISAE 3402), "Assurance Reports on Controls at a Service Organisation" in December 2009. The Institut der Wirtschaftsprüfer in Deutschland e.V. (Institute of Public Auditors in Germany) has also published an audit standard for Germany based on ISAE 3402, IDW PS 951. The results of such an audit of a service provider are summarised in a standardised report (Service Organisation Control / SOC report) and this report can be made available to companies and their auditors on request.

What is a SOC 2 report?

A SOC report deals with internal controls in relation to:

• Security
• Availability
• Integrity
• Confidentiality (data protection)

of the processed data and processes. An assessment and reporting on the control design takes place with regard to the appropriateness of the definition of the objectives and the associated controls at a specific point in time (type I). A Type II audit also examines the effectiveness of the controls in place and includes the test scenarios and the results of these tests in the report - usually for the previous year. This is also the key difference to an ISO 27001 certification, which also only looks at one point in time.

Conclusion: Companies that outsource accounting-relevant processes to a service provider can save a lot of money and time if the service provider provides a SOC 2 Type II report in accordance with ISAE 3402 or an IDW PS 951 report.

Information on Claranet's SOC 2 Type II report and other certifications can be found at Compliance.