RSM Poland


Reporting according to ISAE 3402

Michał DREAS
Audit Manager at RSM Poland

Although many companies have outsourced some or all of their processes to outside companies, it seems that the popularity and commonness of outsourcing is steadily increasing. The principal reason for this undoubtedly is an increase in managerial awareness, resulting from a more mature market, globalization effect and wider cooperation in an international environment (for example, within an international capital group).

It is worth considering whether the spread of outsourcing services by the so-called service organizations and the increase in the number of companies that provide such solutions is also followed by adequate attention to ensure that internal controls within an outsourcing company are appropriately designed and, more importantly, properly implemented so that a user organization is comfortable that the risk is limited to an acceptable level. Moreover, during the outsourcing of any business process, a user organization often requires a service organization to ensure that it has a sufficient level of safeguards and control to properly manage financial, operational and regulatory risks.

Therefore, an independent, professional report provided by an auditor who conducted an audit in an outsourcing organization in accordance with international audit standards (ISAE 3402) may be the right solution. Such a report will confirm the quality of the service being purchased. Moreover, it could also be made available to existing and potential customers (user entities.)

ISAE 3402 reporting, in conjunction with internal audit conformity assessment activities in an organization may help to:

  • identify and raise awareness of the relationship/links between key processes;
  • identify any existing loopholes in processes and controls that may pose an increased risk to the functioning of the organization.

A service auditor’s report can be made available to customers (users) so that their auditors (user auditors) analysing financial statements could also rely on the results and findings contained in the auditor's report. This, in turn, may result in limiting or even eliminating the need for additional procedures when verifying clients' financial statements. An organization which has such a report at its disposal can thus contribute to minimizing the involvement of additional resources and therefore reduce costs, especially in the face of the recent changes in the methodology of auditing financial statements.

The benefits that ISAE 3402 report owners can achieve include:

  • strengthening the reputation of their organization;
  • a positive impact on users’ comfort and that of their auditors;
  • the ability to demonstrate that control activities have been designed and implemented on the basis of the adopted internal control framework;
  • obtaining an assurance/verification of the control environment characteristics based on an internationally recognized standard.