The International Standard on Assurance Engagements (ISAE 3402) was developed to provide an international assurance standard for allowing public accountants to issue a report on the controls at a service organization that are likely to impact internal control over financial reporting. This report is for use by user organizations and their auditors. The Statement on Standards for Attestation Engagements (SSAE 16) audit is established to verify data center operational and security excellence. While both standards are quite similar, SSAE 16 is considered to be an attestation standard and ISAE 3402 an assurance standard.


In addition to SSAE 16, three Service Organization Control (SOC) reports have also been established as the framework for examining controls at a service organization. 

  • SOC 1 report is mainly concerned with examining controls over financial reporting. 
  • SOC 2 includes auditor testing and results and specifically examines the details of data center testing and operational effectiveness. 
  • SOC 3 provides a system description and the auditor’s opinion, is for public use, and provides the highest level of certification and assurance of operational excellence that a data center can receive. 
The SOC 2 and SOC 3 reports focus on the pre-defined, standardized benchmarks for controls related to security, processing integrity, confidentiality, or privacy of the data center’s system and information. In general, these SOC reports provide insights into:
  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight


BWise provides comprehensive solutions that enable service organizations to comply with the ISAE 3402, SSAE 16 standard’s requirements:
  • Management of the service organization will prepare a “Description of its System” (instead of just the controls) and will need to use suitable criteria in preparing the description
  • Management of the service organization will prepare a written assertion to accompany its description; the service auditor will then attest to management’s assertion
  • The service organization is responsible for identifying risks that could threaten the achievement of its controls objectives
BWise Governance, Risk and Compliance (GRC) management software enables the design and arrangement of internal controls and their assessment as required by ISAE 3402, SSAE 16 and supports with the planning and creation of the SOC reports. Specifically, BWise has developed a best practice approach and allows internal controls and their framework to be setup, those controls to be regularly tested and any associated risks to be found. 


Shared Services Organizations face some other challenges to comply as well. With the BWise solution for shared services organizations, SOC reporting functionality for customers’ usage is just one click away and with the internal control framework embedded in BWise, shared services organizations can easily manage and monitor the delivered services to their customers. To establish a complete overview of the internal control system for organizations that make use of Shared Services Centers, 3rd party control results can be imported into BWise.


Using BWise, compliance with all internal control and audit requirements are accomplished in the most cost effective and efficient way. Audits can be performed rapidly and efficiently, with all required information readily available, saving substantial audit costs. In addition, BWise offers a completely integrated GRC software platform, with components that can not only assist with internal controls, but also with risk management and embedding governance and compliance processes into your organization. 

More information

Related Content:

Whitepaper - What Will Make or Break Your GRC Integration Project - The most important GRC implementation pitfalls and how to avoid them.

Scroll up