This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

Third-Party Assurance ISAE3402 (previously SAS70)

Our service offering

Outsourcing is a growing trend, and companies increasingly depend on third-party providers to deliver critical services.

The purpose of an ISAE3402 review is to provide client auditors with an objective report that expresses an opinion about the control environment of a service organisation. The benefit is an objective opinion about a standardised set of objectives tested only once to minimise business disruption.

Companies often depend on many providers to deliver any number of services. Consequently, outsourcing companies are looking for third-party assurance to provide their clients with comfort about their internal control environment.

Deloitte will perform an ISAE3402 review, which provides an objective report that expresses an opinion about the control environment of a service organisation on which multiple auditors can rely. This will be based on a standardised set of objectives, tested only once in a period, which minimises business disruption and provides the ICT service provider’s clients with proactive assurance. The controls tested are typically those that will have a direct impact on the risk of material misstatement in your financial account balances

Hiring an independent service auditor to perform the review allows your organisation to be subjected to just one internal controls audit. Upon completion, the report is distributed to the service organisation’s users so that their auditors may rely upon its opinion and findings and subsequently limit or eliminate additional substantive audit procedures.

User organisations that obtain a Service Auditor's Report from their service organisation(s) receive valuable information regarding the service organisation's controls and the effectiveness of those controls. The user organisation receives a detailed description of the service organisation's controls and an independent assessment of whether the controls were placed in operation, suitably designed and operating effectively (in the case of a Type II report).

Key contacts

Shahil Kanjee
Tel: +27 (0)11 806 5353

Thought Leadership

ISAE 3402 and SSAE 16 (Replacing SAS 70) - Reinforcing confidence through demonstration of effective controls

Service organizations - Signing on to changing requirements

Stay connected:


Material on this website is © 2014 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Get connected
Share your comments



More on Deloitte
Learn about our site


Recently blogged