Skip to navigation
Contact us
Request RFP

      What is an ISAE attestation report?

      An ISAE attestation report is an independent assessment performed by an external auditor. Its purpose is to confirm that a company’s organization controls and processes operate as intended. The auditor evaluates these controls based on the International Standard on Assurance Engagements (ISAE), a widely recognized international standard. 

      Today, ISAE reports are no longer limited to classic IT topics. They have equally established themselves in areas such as property management and accounting, are increasingly being used for the preparation and audit of ESG metrics, and are currently gaining significant importance in the context of AI – particularly in attesting to the underlying governance structures and models.

      In essence, an ISAE report is comparable to a Service Organization Controls (SOC) report. Both provide assurance to user entities that a service provider’s systems are reliable, secure and consistently operated.
       

      François El Assad
      François El Assad

      Partner, Assurance Technology

      KPMG Switzerland

      Stefan Wälti
      Stefan Wälti

      Partner, Head of Assurance Technology

      KPMG Switzerland

      Swiss ISAE & SOC Readiness Study 2025

      This first-of-its-kind Swiss study offers a clear overview of how organizations across industries are adopting and applying ISAE and SOC reporting frameworks. It highlights how these reports are structured, distributed and implemented in practice.

      Furthermore, the study contains valuable insights and tips on how an ISAE project can be implemented in a targeted and resource-efficient manner.

      Swiss companies operating locally and internationally must comply with diverse regulatory requirements. From FINMA circulars to EU directives and SEC rules, all are driving increased demand for ISAE and SOC assurance, particularly in sectors such as Technology, Real Estate, and Healthcare. 

      Emerging regulations like the EU Cyber Resilience Act are expected to further shape the assurance landscape in the coming years. More details can be found in the full study.

      Swiss ISAE & SOC Readiness Study 2025

      Swiss ISAE & SOC Readiness Study

      This first-of-its-kind Swiss study explores how ISAE/SOC reports are used across industries.

      Download PDF

      Study insights

      The study includes insights from 27 participating organizations and four expert interviews across five Swiss industries, most of which primarily issue ISAE/SOC reports for the Swiss and wider European markets. Companies with a broader international footprint – particularly those in the Technology, Media & Telecommunications sector – are the most likely to publish their reports globally. 

      As organizations expand beyond Switzerland and Europe, they increasingly rely on ISAE/SOC reporting to meet diverse international compliance requirements and to strengthen trust when entering new markets.

      Study insights > Click on the image to enlarge it

      Key findings

      • 2 out of 27 respondents reported that their reports were qualified (7%). By comparison, a recent UK benchmark shows 20% of reports were concluded as qualified.
      • Most participants exclude third-party suppliers using the carve-out method. Only 7 out of 26 of companies apply the inclusive method.
      • On average, reports include 44 controls. ISAE 3402 and ISAE 3000 reports typically have around 37 controls, while SOC 2 averages 85 controls per report.

      ISAE 3402 explained

      ISAE 3402 applies to service organizations that manage financial or operational processes on behalf of their clients. It demonstrates how internal controls are structured and how effectively they operate each day. 

      Types of ISAE 3402 reports:

      • ISAE 3402 Type 1: reviews the design of controls related to financial reporting at a specific point in time.
      • ISAE 3402 Type 2: assesses both the design and the operating effectiveness of controls over a defined period. This provides stronger assurance about ongoing processes.

      What ISAE 3402 covers

      An ISAE 3402 report reviews internal controls, including process controls, IT and security measures, access management, change management, and daily operational workflows. To support the audit, companies provide policies, procedures, system logs, incident reports and descriptions of control objectives.

      ISAE 3000 explained

      ISAE 3000 is a broader and more flexible standard for assurance engagements other than audits of financial statements. It applies to non-financial topics, such as sustainability reporting, data protection, compliance, AI and operational risk management.

      Organizations use ISAE 3000 to demonstrate transparency in areas that ISAE 3402 does not necessarily cover. It can also be used to issue a report aligned with SOC 2 criteria. ISAE 3000 helps show that a company is trustworthy and has robust data protection and security controls.

      ISAE vs. SOC reports

      ISAE and SOC reports both assess whether a company’s controls and processes are operating effectively. They pursue similar objectives but differ mainly in the origin of the underlying standards they follow (International for ISAE, US-based for SOC).

      A SOC 1 report and an ISAE 3402 report both focus on controls related to financial reporting and provide assurance that financial processes are secure and reliable.

      SOC 2 reports, on the other hand, examine areas like security, availability, confidentiality and privacy. ISAE 3000 can also cover these topics, but it offers more flexibility and can be applied to a broader range of assurance engagements.

       

      Comparison table: ISAE vs. SOC reports 

      SOC 1

      • Primary focus: Internal controls related to financial reporting
      • Use case: Service organizations supporting financial reporting
      • Typically used for: Auditors and customers needing assur­ance or related to financial controls. Examples: property management processes, IT controls of SaaS applications, ESG, carve-out/TSA agreements, hosting, etc.
      • Types: Type I (point-in-time) & Type II (over a period)

      SOC 2

      • Primary focus: Trust Service Criteria: security, availability, processing integrity, confidentiality, privacy
      • Use case: Broadly for tech, cloud, SaaS and service providers
      • Typically used for: Customers seeking transparency over IT / security controls. Examples: SaaS applications & products, etc.
      • Types: Type I & Type II

         

      SOC 3

      • Primary focus: High-level summary of SOC 2 results for general audiences
      • Use case: Public, marketing-friendly trust communication
      • Typically used for: Public trust signals (e.g., website seal / summary). Examples: SaaS applications & products, etc.
      • Types: No type I / II structure




         

      ISAE 3000

      • Primary focus: Assurance over non-financial information (can include security & privacy) 
      • Use case: Very flexible: IT controls, compliance, ESG, processes, non-financial info
      • Typically used for: Organizations with tailored or mixed assurance needs, including IT / security controls. Examples: AI, ESG, SaaS applications & products, compliance, IT controls, etc.
      • Types: Type I & Type II

      ISAE 3402

      • Primary focus: Internal controls related to financial reporting 
      • Use case: Service organizations affecting financial reporting
      • Typically used for: Auditors and customers needing assurance related to financial controls
      • Types: Type I & Type II



         

      Attestation vs. certification

      An attestation (like those of an ISAE 3402 or ISAE 3000 report) is performed by an independent auditor. They check and confirm whether a company’s controls or information meet defined requirements.

      A certification (like ISO 27001 or 42001) is issued by an accredited certifying body. It provides formal proof that a company complies with a specific standard.

      Both build trust but attestation is an audit or review, while certification is a formal confirmation that a standard has been met.

      In general, the market views attestations as stronger evidence of how well controls are implemented and operating.

      This is mainly because auditors are required to perform more extensive testing for an attestation than what is typically required for a certification.

      FAQs

      ISAE stands for International Standard on Assurance Engagements, a set of international standards issued by the International Auditing and Assurance Standards Board (IAASB).

      An ISAE attestation report is a report done by an independent auditor. It checks whether a company’s processes, controls, and information meet the required standards.

      Attestation is a report from an independent auditor that confirms controls or processes meet specific criteria. Certification is an official recognition from a certifying body showing that an organization or system meets a formal standard.

      Type 1 reports check the design of controls at a single point in time. Type 2 reports check both the design and the operating effectiveness of controls over a period. 

      ISAE 3000 is used to provide assurance on non-financial information. It covers areas such as compliance, sustainability, internal controls and other operational topics.

      SOC 1 and ISAE 3402 are considered equivalent. Both focus on controls related to financial reporting.

      SOC 2 reports on security and operational controls. ISAE 3000 can provide similar assurance in an international context.

      The time required to institutionalize the control framework depends significantly on the attested product or service as well as the chosen scope of controls. Based on experience, a period of approximately 3 to 6 months should be planned for this.

      Subsequently, a Type 1 report can be prepared, which assesses the design of the controls as of a specific point in time. For a Type 2 report, however, the controls must be operationally effective over a certain period – in practice, at least three months – in order to assess their actual execution and effectiveness.

      A Type 1 report typically takes a few days. A Type 2 report requires more time, often several days, as it involves assessing the effectiveness of controls over a longer period.

      Only licensed auditors or accredited audit firms can issue ISAE reports. They must perform their work in accordance with the ISAE standards.

      ISAE attestation: build confidence in your controls

      ISAE 3000 and ISAE 3402 reports provide independent assurance over the design and operating effectiveness of your controls.

      Discover how KPMG can support you from readiness and scoping to execution and reporting – helping you meet stakeholder expectations and strengthen trust.

      Discover our services

      Meet our experts

      François El Assad
      François El Assad

      Partner, Assurance Technology

      KPMG Switzerland

      Stefan Wälti
      Stefan Wälti

      Partner, Head of Assurance Technology

      KPMG Switzerland

      Related articles and more information

      Achieve SOC 2 & ISAE 3000 compliance in Switzerland. Protect data, meet regulations, and gain client confidence with KPMG's expert guidance.
      Read more