Hold tight Hi there!

Assurance

ISAE 3000 / ISAE 3402

Understanding the Standards

In an environment of outsourcing, digitalisation, and growing regulatory pressure, organisations are expected to prove that their internal controls work - not just claim they exist. 

This assurance is formalised through internationally recognised standards issued by the International Auditing and Assurance Standards Board (IAASB): ISAE 3402 and  ISAE 3000. 

ISAE 3402 / ISAE 3000

ISAE 3402 applies to service organisations whose processes affect their clients’ financial reporting - for example, IT service providers, payment processors, or fund administrators. These reports allow your clients’ external auditors to rely on your controls when forming their own audit opinion. 

ISAE 3000 has a broader, non-financial scope, covering areas such as information security, compliance, ESG, or operational-control environments. It is the preferred framework for modern assurance needs under DORA, ISO 27001, or governance-related assessments - and is increasingly used within crypto-asset service providers and brokers to demonstrate operational integrity, safeguarding of client assets, and compliance with MiCAR and local supervisory expectations. 

Both standards result in an Assurance Report issued by an independent auditor, confirming that your control framework is suitably designed and (where applicable) operating effectively. 

Type I vs Type II 

Every ISAE engagement can be issued as either a Type I or Type II report: 

  • A Type I report evaluates the design and implementation of controls at a specific date, making it ideal for first-year or readiness assessments. 
  • A Type II report goes further by also assessing the operating effectiveness of those controls over a defined period (typically six to twelve months). 

Please note that Type II provides stronger assurance for clients, auditors, and regulators - but requires more evidence and testing effort. 

Whether to choose Type I or Type II depends on your maturity, reporting objectives, and stakeholder expectations. We can help you make that decision transparently. 

Our approach.

At Risk Boutique, we deliver independent assurance engagements that combine audit discipline with practical execution. All work is performed under the professional and ethical standards of NOREA, the Dutch association of IT Auditors, ensuring technical accuracy and full compliance with national quality requirements. 

01
Readiness & Scoping 

First, we conduct a readiness assessment to evaluate whether your processes and evidence are sufficient for an ISAE engagement. We then work together to define the scope, boundaries, and reporting type - ensuring feasibility, efficiency, and proportionality.

02
Control Mapping & Framework Definition 

We translate your operations into clear, testable control objectives that align with the ISAE criteria. 

Where needed, we refine documentation and evidence so that controls are both traceable and auditable.

03
Testing & Validation 

Our independent auditors perform design and operating-effectiveness testing based on risk, relevance and proportionality. 

Testing follows structured sampling and documentation protocols consistent with NOREA’s quality-management system.

04
Reporting & Delivery

We prepare an Assurance Report (Type I or Type II), that is accompanied by management observations and pragmatic improvement suggestions. 

Our reports are concise, understandable and ready for client distribution or inclusion in external audit files. 

Our assurance engagements are priced transparently and proportionately to scope. Each engagement consists of: 

01
A standard component  covering project management, communication, and report issuance.
02
A variable component based on the number of control objectives and whether a Type I or Type II report is required. 

This ensures that costs are aligned with both complexity and effort - never inflated by unnecessary work.  A tailored proposal follows an initial scoping conversation. 

Why clients choose Risk Boutique.

NOREA-compliant quality - all assurance work adheres to Dutch professional standards for IT auditors

Experience across industries - from financial institutions to crypto-brokers subject to MiCAR and DNB oversight. 

Pragmatic execution - minimal disruption, clear timelines, and meaningful insights. 

Direct senior involvement - boutique attention from start to finish. 

Value beyond compliance - findings that strengthen governance, not just satisfy auditors.