Trust is the basis of every partnership – but in the IT sector, objective proof of this trust is critical to business. MTF now has ISAE 3402 Type 1 certification for its private cloud services. This internationally recognised standard confirms, through an independent auditor, that our control objectives are appropriately designed and implemented.
MTF has taken an important step forward in terms of transparency, security and process quality: following an external audit, the design of our internal control system (ICS) has been certified in accordance with the international standard ISAE 3402 Type 1. This result underlines our long-term commitment to the highest standards in the management and control of private cloud services.
The International Standard on Assurance Engagements 3402 was developed by the International Federation of Accountants (IFAC) and is now the authoritative auditing standard for service providers that take on business-critical processes. It is specifically aimed at companies that offer IT infrastructures, cloud services or data centre operations that are relevant to their customers' financial reporting.
An ISAE 3402 Type 1 report documents in detail which control objectives MTF has defined, how these are structured and that they were implemented at the time of the audit. This provides customers and their auditors with structured evidence of their cloud partner's internal control system.
ISAE 3402 was created as an international standard to establish a uniform audit approach for outsourced services. The standard has been applicable in Switzerland since 2014 and has established itself as a mark of quality for IT service providers, data centres, cloud providers and business process outsourcing providers. The audit report includes a management statement, a description of the audited organisation and services, detailed control objectives and the independent auditor's opinion on the effectiveness of the controls implemented.
In times of increasing digitalisation, stricter regulatory requirements and complex cloud relationships, the visibility of control mechanisms is becoming more important than ever for customers. ISAE 3402 serves as an international signal of quality and trust: an audit not only confirms technical and organisational controls in areas such as IT operations, change and access controls, but also creates transparency about processes that directly or indirectly affect compliance or critical business functions.
For companies in industries with high regulatory requirements – such as financial services, healthcare or software as a service – an ISAE report is not only a competitive advantage, but often a mandatory requirement in the context of due diligence by customers or auditors.
The Type 1 audit confirms that MTF Solutions' control objectives are appropriately designed and implemented at the time of the audit. An independent auditor has reviewed the design of internal controls in areas such as:
The Type 1 confirmation provides a solid foundation. The next step will follow in 2026 with the Type 2 audit, which will document the operational effectiveness of our controls in ongoing operations over a period of twelve months.
When companies use cloud services, they remain responsible for compliance requirements. Their auditors must be able to verify that outsourced processes are also adequately controlled. Without an ISAE 3402 report, auditors would have to check every single customer on site at the service provider – a time-consuming and expensive undertaking.
The ISAE 3402 confirmation complements our existing certifications such as ISO 27001 and underlines our commitment to reliable cloud services. While ISO 27001 certifies a comprehensive information security management system, ISAE 3402 focuses specifically on controls in outsourced processes – tailored to the requirements of our customers and their auditors.
For MTF, the ISAE 3402 audit is part of our ongoing commitment to quality. It shows that we not only understand our customers' expectations, but also meet them in a measurable way.