Last fall, we’ve talked about the SOC (System and Organization Controls) 1 compliance certification that holds Agiblocks to the highest standards of data security and privacy.
Which is why we would be remiss if we didn’t talk about ISAE 3402 too. Indeed, the aforementioned article has sparked a response, as SOC 1 and ISAE 3402 are very much part of the same conversation. In fact, SOC 1 is the US equivalent of ISAE 3402 and covers the same scope and reporting methods. So of course, Agiblocks supports ISAE 3402 as well.
ISAE 3402: what is it?
ISAE 3402 – short for International Standard on Assurance Engagements 3402 – is an international assurance standard focused on controls at a service organization that are relevant to financial reporting.
Organizations are increasingly outsourcing non-core activities to service providers such as SaaS companies, asset managers, and property management firms. ISAE 3402 is a global standard that provides transparency into how services are performed, securely handled, and protected against fraud. The corresponding ISAE 3402 report helps verify that appropriate controls are in place. These reports are crucial for mitigating the risks associated with outsourcing by ensuring that service providers maintain effective control frameworks, especially in sensitive sectors such as financial services.
ISAE 3402 and SOC 1
SOC 1 is the U.S. equivalent of ISAE 3402 and covers the same scope and reporting methods. ISAE 3402 and SOC 1 reports often look very similar and can often be issued together. ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB). If a company uses a third-party service provider that could impact its financial reporting – such as a payroll processor, data center operator, or investment administrator — ISAE 3402 reports help the company’s auditors understand the control environment at that provider.
As with SOC, ISAE 3402 offers two types:
- Type I — Describes the design of controls at a specific point in time.
- Type II — Describes the design and operating effectiveness of controls over a defined period (usually 6–12 months).
The latter is generally preferred because it provides assurance that the controls worked as intended.
ISAE 3402 & CTRM software
Commodity trading companies often outsource part of their operations to third-party vendors (e.g. hosting, managed services, data feeds, or SaaS CTRM platforms) and rely on CTRM systems to process critical data — trades, positions, pricing, valuations, and settlements — that directly feed into financial reports. ISAE 3402 reports from the CTRM software provider give trading companies and their auditors comfort that the software’s IT and process controls (e.g. data integrity, user access management, change control, transaction processing) are properly designed and operating effectively.
Service organizations that provide or host CTRM systems typically describe controls around application security. This includes how user access is set up and reviewed. They also cover data processing integrity, which looks at whether trades, pricing, valuations and settlements are handled accurately. Another important area is system development and change management. This focuses on making sure that updates to the CTRM platform are properly tested and approved. Controls around IT operations and backups help show that the system is available and data can be restored if needed. They also describe how third-party data feeds, like pricing data, are managed to make sure the information is complete and accurate. Finally, they explain how interfaces to ERPs or general ledgers are handled to confirm that all financial postings are complete and correct.
Does your CTRM software adhere to industry-standard security protocols and regulatory requirements? To secure your data but also ensure legal compliance? Agiblocks does.
