Skip to content
menu-toggle
menu-close

ISAE 3402

We want to assure our users that our Software as a Service (SaaS) solution fully complies with the requirements of the European General Data Protection Regulation (GDPR) and proper IT conditions and practices.

 

ISAE 3402, which stands for "International Standard on Assurance Engagements 3402", is a global assurance standard developed by the International Auditing and Assurance Standards Board (IAASB). It is specifically designed for service organizations to provide assurance to their customers and stakeholders regarding the effectiveness of controls over financial reporting.

The primary purpose of ISAE 3402 is to give users of outsourced services confidence in the controls implemented by a service organization that are relevant to their financial reporting. This is particularly important when a service organization performs activities that are critical to the financial reporting of its clients or user entities.

Key features of ISAE 3402 include

Service Organization Control (SOC) reports: The standard requires service organizations to produce a SOC 1 report, which provides detailed information about the design and effectiveness of their internal controls over financial reporting.

Type I and Type II Reports:

  • Type I Report: This report evaluates the suitability of the design of controls at a specific point in time.
  • Type II Report: This report not only assesses the design but also the operational effectiveness of controls over a specified period.

Scope and criteria: ISAE 3402 outlines the criteria that service organizations need to meet, and it establishes the scope of the examination, ensuring a consistent and comparable basis for reporting.

Independent service auditor: The examination and reporting are performed by an independent service auditor (often a third-party auditing firm) who provides an opinion on the effectiveness of the controls.


ISAE 3402 is often used in situations where a service organization is entrusted with critical financial processes, and the user entities require assurance that appropriate controls are in place. It is particularly relevant in outsourcing scenarios, such as when a company relies on a third-party service provider for key financial functions like payroll processing or data hosting.

Addo Sign is ISO 27001:2023 certified by Grant Thornton. This certification signifies that we have established, implemented, maintained, and continually improved our information security management system. We undergo annual audits to ensure our commitment to information security and to maintain our certification.

Read the full report here: ISAE 3402 report 

ISAE3402_2023_black