Many organizations struggle to achieve an ISAE 3402 with a limited number of findings. There are often several reasons for this: the controls are not executed properly (with the associated evidence) or the framework with risks and controls is not up to date. This can have major consequences. In any case, it is of course a warning sign that the organization is not in control, but it is also commercially challenging to indicate to existing customers or new customers that the ISAE has many findings or even critical limitations.
For those not yet familiar with ISAE statements: The International Standard on Assurance Engagements 3402 (ISAE 3402) is an international standard that provides assurance to clients (and accountants) of organizations that perform processes for those clients. Examples are payroll processors, pension providers and clearing organizations. With this statement, the organization provides its customers with certainty that the framework of internal controls is adequate and functioning.
In this blog I give 10 tips that can help you achieve the cleanest ISAE 3402 possible.
10 tips for a clean ISAE 3402
The following tips are written from the point of view of an ISAE framework, but of course apply to all control frameworks.
Have a good scope
In principle, the ISAE 3402 statement focuses on the processes underlying the financial statements, as it is mainly used by accountants. Therefore, provide a scope that is sufficiently extensive for the users. But try to limit the scope as much as possible. The larger the scope, the more the auditor has to test, the more costs and the greater the chance of failing controls.
I have also seen organizations disconnect the ISAE framework from their regular control framework. Do not do this, it is inefficient to maintain 2 separate frameworks and it creates confusion in the business.
Make sure the controls are up-to-date
This seems logical, but it often happens that the organization changes, but that it does not include the associated controls in this change. This is a guarantee of findings during the ISAE 3402 audit. So make sure the entire control framework is always up to date.
Involve the auditor
In relation to the above point: always involve the auditor in (major) changes in the framework. He is the one who will test it, so the changes must be in line with his expectations.
Ensure commitment from employees and management
Unfortunately, control frameworks are often a paper exercise that is only carried by the risk department. Therefore, ensure that employees and management are involved and are aware of the proper implementation of controls. As always, “tone at the top” is key!
References to evidence
It is of course very important that the controls are demonstrably executed. Therefore, make sure that it is clear with which evidence the implementation of the controls can be demonstrated and where this evidence is stored. If this is in order you are halfway there.
Test controls in advance
Introduce testing of controls by management and review of control tests by the risk manager. This ensures management commitment and timely identification of controls that are not working properly or are not being executed properly.
Use incidents as wake-up calls
Incidents occur in every organization. Use this as a wake-up call. Incidents are an important signal that procedures or controls are not working properly. So learn from incidents in the context of “never waste a good crisis”.
Involve clients in the ISAE 3402
Your clients and their accountants are users of the ISAE report. So make sure they are in the loop to avoid disappointments afterwards. In any case, good communication with your clients is very important, but in this context it is crucial. This point also has a strong relationship with the first point, determining the scope.
Ensure that all findings from previous ISAE 3402 audits are resolved in a timely manner
There are probably several findings from previous ISAE 3402 audits. Make sure you solve them in time to prevent them from leading to new findings. It helps if all findings have an owner (preferably at management level), a deadline and monthly progress monitoring.
Provide some ‘control minded’ people as a link between the auditors and the business. This improves communication, prevents misunderstandings and reduces the pressure on the business. What is also advisable is to have kick-off meetings with both the business and the auditors. You can let the business know about do’s and don’ts in communicating with auditors, and you can explain changes in the organization to the auditors and then make clear working arrangements with them.
With the guidelines mentioned above, an organization should relatively easily pass an ISAE 3402 audit. INTERMEDIATE can assist you by providing qualified interim professionals in this area on a short notice.
Curious how your organisation can achieve a clean ISAE 3402? INTERMEDIATE can help. With our substantive knowledge, we find the right professional who can guide and support your organization. Interested? Please contact us: intermediate.pro/contact
This blog is written by Remco Spruyt