ISAE (International Standards for Assurance Engagements) 3402 is a global assurance standard for reporting on controls at service organizations. It became effective on June 15, 2011, largely in response to the passage of the Sarbanes-Oxley Act (often referred to by the acronym SOX) in the aftermath of the Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices.
ISAE 3402 is an extension and expansion of SAS 70 (the Statement on Auditing Standards No. 70), which defined the standards an auditor must employ in order to assess the contracted internal controls of a service organization. SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) as a simplification of a set of criteria for auditing standards originally defined in 1988.
In the ISAE 3402, as in its predecessor SAS 70, auditor reports are classified as either Type I or Type II. In a Type I report, the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluates the likelihood that those efforts will produce the desired future results. A Type II report includes the same information as that contained in a Type I report; in addition, the auditor attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports generally incorporate data compiled over a six-month time period.