Solita Denmark (Solita A/S) is ISAE 3402 Type II certified. An ISAE 3402 audit statement provides a picture of the general state of the IT organisation, documents proper IT conditions and serves as proof that we at Solita A/S comply with legal requirements and sustainable IT practice. The statement is prepared by an independent, government-approved auditing company, which ensures a review of documentation and random checks of the various areas based on ISO 27001/2.
Description of ISAE 3402 Type II
ISAE stands for “International Standard for Assurance Engagements” and ISAE 3402 is an international standard used for audit and assurance engagements to provide a high level of assurance on the internal controls of service providers, including IT service providers. The assurance opinions are used by user organisations (the service provider’s customers) and their auditors. ISAE 3402 is also a SOC1 report within Service Organisation Control (SOC) reports.
The standard provides a framework for how the service provider’s auditor should perform his or her work and issue opinions, including how the auditor obtains reasonable assurance that the service provider’s description of its system is fairly stated, that the service provider’s controls are suitably designed, and that the controls have operated effectively. There must be a relationship between the controls that the auditor tests and the purpose of the controls (control objectives), including the risks that the controls are designed to address.
The certification standard provides for two types of statements: one (type 1) is for a given date and the other (type 2) is for a period, usually at least six months. A Type 2 statement includes the auditor’s opinion on whether the service provider’s description of the controls, designed and implemented for a particular period, is true and on point for the period in question. It also includes comments on whether the controls were suitably designed for the period, and whether the controls operated effectively throughout the period.
The statement consists of three parts:
- The service provider’s description of the system
- The service provider’s statement on the description and controls
- The auditor’s opinion on the service provider’s assertions in relation to the description.
The statement should describe the service provider’s services in general terms and, moreover, address the objectives of the controls and the related controls in details. This makes it easy for any user-organisation’s appointed auditor to gain an understanding of the services and controls. The statement should include confirmation that the description is accurate and a statement that the controls were appropriately designed and operated effectively throughout the period. Finally, the service provider must describe the policies and procedures. The control objectives, identified risks and controls must also be well documented.