The International Standard on Assurance Engagements (ISAE) 3402 standard (former: SAS 70) is the world standard for service providers to give customers assurance on the quality of services they source out.

The ISAE 3402 standard has a retrospective character. Due to increased attention by regulators for internal controls at financial institutions, the default ISAE 3402 standard of a service provider for the financial institutions does not longer meet the requirements for financial institutions. These institutions require additional information that provides them with more insight into the quality of services that these institutions have outsourced.


In this situation, the increase of trust can be supplementary on the assurance by means of the ISAE 3402 standard. By means of creating a transparent Risk & Control Framework and informing clients on this, the service provider can increase this trust. The Framework provides insight and oversight of the relevant risks and internal control measures.

For financial institutions, this extended service level is a part of the operational risk that they must manage for both the Basel II and Basel III regulation. For a proper assessment of the operational risks, it is important for the financial institution and the service provider to understand each other’s’ risk identification and risk assessment, as well as the internal controls that were established to control operational risks.

This mutual understanding enables an optimal ‘tuning’ of these risks and internal control measures, giving the financial institution the confidence that the service provider strives for maximum customer satisfaction.The illustration below gives a high-level overview of a Risk & Control Framework for a service provider that offers services to financial institutions.

Risk Management methods and tool such as BowTie can provide this Risk & Control Framework with more details.The visual representation of risk assessments of BowTie can support the process of tuning the risks and internal control measures between the service provider and its clients, providing a clear added value.