ISAE 3402, SSAE 16 COMPLIANCE AND SOC REPORTS
The International Standard on Assurance Engagements (ISAE 3402) was developed to provide an international assurance standard for allowing public accountants to issue a report on the controls at a service organization that are likely to impact internal control over financial reporting. This report is for use by user organizations and their auditors. The Statement on Standards for Attestation Engagements (SSAE 16) audit is established to verify data center operational and security excellence. While both standards are quite similar, SSAE 16 is considered to be an attestation standard and ISAE 3402 an assurance standard.
SERVICE ORGANIZATION CONTROL (SOC) REPORTS
In addition to SSAE 16, three Service Organization Control (SOC) reports have also been established as the framework for examining controls at a service organization.
- SOC 1 report is mainly concerned with examining controls over financial reporting.
- SOC 2 includes auditor testing and results and specifically examines the details of data center testing and operational effectiveness.
- SOC 3 provides a system description and the auditor’s opinion, is for public use, and provides the highest level of certification and assurance of operational excellence that a data center can receive.
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
BWise provides comprehensive solutions that enable service organizations to comply with the ISAE 3402, SSAE 16 standard’s requirements:
BEST PRACTICE FOR ISAE 3402 AND SSAE 16 COMPLIANCE
- Management of the service organization will prepare a “Description of its System” (instead of just the controls) and will need to use suitable criteria in preparing the description
- Management of the service organization will prepare a written assertion to accompany its description; the service auditor will then attest to management’s assertion
- The service organization is responsible for identifying risks that could threaten the achievement of its controls objectives
COMPLIANCE SOLUTION FOR SHARED SERVICES ORGANIZATIONS
Shared Services Organizations face some other challenges to comply as well. With the BWise solution for shared services organizations, SOC reporting functionality for customers’ usage is just one click away and with the internal control framework embedded in BWise, shared services organizations can easily manage and monitor the delivered services to their customers. To establish a complete overview of the internal control system for organizations that make use of Shared Services Centers, 3rd party control results can be imported into BWise.
Using BWise, compliance with all internal control and audit requirements are accomplished in the most cost effective and efficient way. Audits can be performed rapidly and efficiently, with all required information readily available, saving substantial audit costs. In addition, BWise offers a completely integrated GRC software platform, with components that can not only assist with internal controls, but also with risk management and embedding governance and compliance processes into your organization.