Contact us

      What is an ISAE attestation report?

      An ISAE attestation report is an independent assessment performed by an external auditor. Its purpose is to confirm that a company’s organization controls and processes operate as intended. The auditor evaluates these controls based on the International Standard on Assurance Engagements (ISAE), a widely recognized international standard. 

      In essence, an ISAE report is comparable to a Service Organization Controls (SOC) report. Both provide assurance to user entities that a service provider’s systems are reliable, secure and consistently operated.
       

      François El Assad
      François El Assad

      Partner, Assurance Technology

      KPMG Switzerland

      Stefan Wälti
      Stefan Wälti

      Partner, Head of Assurance Technology

      KPMG Switzerland

      Swiss ISAE & SOC Readiness Study 2025

      This first-of-its-kind Swiss study offers a clear overview of how organizations across industries are adopting and applying ISAE and SOC reporting frameworks. It highlights how these reports are structured, distributed and implemented in practice. 

      Swiss companies operating locally and internationally must comply with diverse regulatory requirements. From FINMA circulars to EU directives and SEC rules, all are driving increased demand for ISAE and SOC assurance, particularly in sectors such as Technology, Real Estate, and Healthcare. 

      Emerging regulations like the EU Cyber Resilience Act are expected to further shape the assurance landscape in the coming years. More details can be found in the full study.

      Swiss ISAE & SOC Readiness Study 2025

      Swiss ISAE & SOC Readiness Study

      This first-of-its-kind Swiss study explores how ISAE/SOC reports are used across industries.

      Download PDF

      Study insights

      Study insights > Click on the image to enlarge it

      The study includes insights from 27 participating organizations and four expert interviews across five Swiss industries, most of which primarily issue ISAE/SOC reports for the Swiss and wider European markets. Companies with a broader international footprint – particularly those in the Technology, Media & Telecommunications sector – are the most likely to publish their reports globally. 

      As organizations expand beyond Switzerland and Europe, they increasingly rely on ISAE/SOC reporting to meet diverse international compliance requirements and to strengthen trust when entering new markets.

      ISAE 3402 explained

      ISAE 3402 applies to service organizations that manage financial or operational processes on behalf of their clients. It demonstrates how internal controls are structured and how effectively they operate each day. 

      Types of ISAE 3402 reports:

      • ISAE 3402 Type 1: reviews the design of controls related to financial reporting at a specific point in time.
      • ISAE 3402 Type 2: assesses both the design and the operating effectiveness of controls over a defined period. This provides stronger assurance about ongoing processes.

      What ISAE 3402 covers

      An ISAE 3402 report reviews internal controls, including process controls, IT and security measures, access management, change management, and daily operational workflows. To support the audit, companies provide policies, procedures, system logs, incident reports and descriptions of control objectives.

      ISAE 3000 explained

      ISAE 3000 is a broader and more flexible standard for assurance engagements other than audits of financial statements. It applies to non-financial topics, such as sustainability reporting, data protection, compliance and operational risk management.

      Organizations use ISAE 3000 to demonstrate transparency in areas that ISAE 3402 does not necessarily cover. It can also be used to issue a report aligned with SOC 2 criteria. ISAE 3000 helps show that a company is trustworthy and has robust data protection and security controls.

      ISAE vs. SOC reports

      ISAE and SOC reports both assess whether a company’s controls and processes are operating effectively. They pursue similar objectives but differ mainly in the origin of the underlying standards they follow (International for ISAE, US-based for SOC).

      A SOC 1 report and an ISAE 3402 report both focus on controls related to financial reporting and provide assurance that financial processes are secure and reliable.

      SOC 2 reports, on the other hand, examine areas like security, availability, confidentiality and privacy. ISAE 3000 can also cover these topics, but it offers more flexibility and can be applied to a broader range of assurance engagements.

       

      Comparison table: ISAE vs. SOC reports 

      Standard / report

      Use case

      		Primary focusTypesTypically used for

      SOC 1

      Service organizations supporting financial reporting

      		Internal controls related to financial reportingType I (point-in-time) & Type II (over a period)Auditors and customers needing assurance or related to financial controls

      ISAE 3402

      Service organizations supporting financial reporting

      		Internal controls related to financial reporting Type I & Type IIAuditors and customers needing assurance related to financial controls

      SOC 2

      Broadly for tech, cloud, SaaS and service providers

      		Trust Service Criteria: security, availability, processing integrity, confidentiality, privacy Type I & Type IICustomers seeking transparency over IT / security controls 
      ISAE 3000Very flexible: IT controls, compliance, ESG, processes, non-financial info Assurance over non-financial information (can include security & privacy)Type I & Type IIOrganizations with tailored or mixed assurance needs, including IT / security controls
      SOC 3Public, marketing-friendly trust communicationHigh-level summary of SOC 2 results for general audiencesNo type I/II structurePublic trust signals (e.g., website seal / summary)

       

      Attestation vs. certification

      An attestation (like those of an ISAE 3402 or ISAE 3000 report) is performed by an independent auditor. They check and confirm whether a company’s controls or information meet defined requirements.

      A certification (like ISO 27001) is issued by an accredited certifying body. It provides formal proof that a company complies with a specific standard.

      Both build trust but attestation is an audit or review, while certification is a formal confirmation that a standard has been met.

      In general, the market views attestations as stronger evidence of how well controls are implemented and operating.

      This is mainly because auditors are required to perform more extensive testing for an attestation than what is typically required for a certification.

      FAQs

      ISAE stands for International Standard on Assurance Engagements, a set of international standards issued by the International Auditing and Assurance Standards Board (IAASB).

      An ISAE attestation report is a report done by an independent auditor. It checks whether a company’s processes, controls, and information meet the required standards.

      Attestation is a report from an independent auditor that confirms controls or processes meet specific criteria. Certification is an official recognition from a certifying body showing that an organization or system meets a formal standard.

      Type 1 reports check the design of controls at a single point in time. Type 2 reports check both the design and the operating effectiveness of controls over a period. 

      ISAE 3000 is used to provide assurance on non-financial information. It covers areas such as compliance, sustainability, internal controls and other operational topics.

      SOC 1 and ISAE 3402 are considered equivalent. Both focus on controls related to financial reporting.

      SOC 2 reports on security and operational controls. ISAE 3000 can provide similar assurance in an international context.

      A Type 1 report usually takes 6 to 12 weeks. A Type 2 report takes longer, often 3 to 6 months, because it assesses controls over time.

      Only licensed auditors or accredited audit firms can issue ISAE reports. They must perform their work in accordance with the ISAE standards.

      ISAE attestation: build confidence in your controls

      ISAE 3000 and ISAE 3402 reports provide independent assurance over the design and operating effectiveness of your controls.

      Discover how KPMG can support you from readiness and scoping to execution and reporting – helping you meet stakeholder expectations and strengthen trust.

      Discover our services

      Meet our experts

      François El Assad
      François El Assad

      Partner, Assurance Technology

      KPMG Switzerland

      Stefan Wälti
      Stefan Wälti

      Partner, Head of Assurance Technology

      KPMG Switzerland

      Related articles and more information

      Discover how SOC 2 and ISAE 3000 compliance help Swiss businesses protect data, meet regulatory standards, and build trust in today's digital world.
      Read more