19 December 2013

The demand for Third Party Assurance reports will increase in the years to come as the International Auditing Standards will be made applicable for a majority of EU-members (including Belgium) as of January 1, 2014. The ISA-standards will be applied in the context of (financial) audit engagements performed by chartered accountants. After all, the management of an enterprise is also responsible for executing and monitoring the adequacy of internal controls with respect to outsourced processes.

The ISA-standards provide a framework for Third Party Assurance reports to be made available to all relevant third parties (read customers, chartered accountants, etc.) supplementing their audit and control procedures. Third Party Assurance reports provide assurance to all relevant third parties with respect to the design and operating effectiveness of the internal control environment of the service organisation and its service portfolio.

What is an ISAE3402 report?

  • An ISAE3402 report (previously known as SAS70) is a Third Party Assurance (TPA) report. The report reflects that a service organisation (read BT) has been through an in-depth audit of their internal control environment relating to the organisation’s service offering.
  • ISAE3402 audits are performed by an independent audit firm (read BDO).
  • The International Standard on Assurance Engagements (ISAE) 3402, “Assurance Reports on Controls at a Service Organisation,” is an international auditing standard developed by the International Auditing and Assurance Standards Board.

Why an ISAE3402 report?

  • To obtain assurance about the existence and adequacy of controls at their service provider, an outsourcing client has 2 options:
    • Assess and examine themselves the internal controls at the service providers;
    • Rely on an ISAE3402 report examined by an independent auditor commissioned by the service provider.
  • An ISAE3402 not only reduces the overhead and impact of external audits by your customers, it also allows you to demonstrate the quality of your services.
  • As such an ISAE3402 is required by existing customers as assurance of the quality of the service supplied.

A practical example: Third Party Assurance reports provided to BT Benelux

With the Third Party Assurance reports, BDO Risk & Assurance Services, as an independent consultant, certifies the three main services of BT Benelux being:

  • the worldwide network,
  • the local connectivity to Benelux clients,
  • data center services delivered to Benelux clients.

Third Party Assurance reports not only provide added value to the service organization, they also are of significant importance for the service organisation’s customers. The Third Party Assurance Reports provide both parties with assurance regarding the internal control environment and demonstrate the quality of the services provided.


Are you looking for an independent audit organisation that can help you with the examination and certification of your service portfolio for a fair price? Do not hesitate to contact [email protected]