How to Evaluate a Service Organisation Report: The ISA 402 User Auditor Checklist

Your client outsources payroll to an external bureau. The service organisation hands you a 90-page ISAE 3402 Type 2 report. You need to figure out what it actually covers, whether you can rely on it, and what testing you still need to do yourself. The partner wants an answer by Friday.

To evaluate a service organisation report under ISA 402, the user auditor must assess whether the report covers the relevant period and services, determine if the control objectives are relevant to the client's financial statement assertions, test complementary user entity controls (CUECs) listed in the report, and evaluate any deviations or exceptions the service auditor identified.

What ISA 402 requires from the user auditor

ISA 402.9 requires the user auditor to obtain a sufficient understanding of the nature and significance of the services provided by the service organisation, and their effect on the user entity's internal controls relevant to the audit. This isn't optional background reading. It's a risk assessment procedure.

Before you open the service organisation report, answer two preliminary questions. What processes does the client outsource? And which financial statement assertions do those processes affect? If the client outsources payroll processing, the affected assertions are completeness and accuracy of payroll expense, existence and valuation of payroll liabilities, the related tax withholding obligations, and proper period allocation of costs. If the client outsources IT hosting for its ERP system, the scope is broader: every transaction processed through that system has a dependency on the service organisation's IT general controls.

ISA 402.10 states that the user auditor must evaluate the design and implementation of controls at the user entity that relate to the services provided by the service organisation. The service organisation report is one source of evidence. It is not the only source, and it does not replace your own understanding of how the client interacts with the service provider.

ISA 402.11 directs the user auditor to determine whether a sufficient understanding can be obtained from the user entity alone, or whether the service organisation report (or direct inquiry of the service organisation, or a visit) is needed. For most mid-market audits, the report is the only practical option. Visiting the service organisation is rarely feasible.

Type 1 vs Type 2: which report gives you sufficient evidence

ISA 402.12-14 distinguish between two types of report, and the distinction determines what audit evidence you get.

A Type 1 report (ISAE 3402, paragraph 2) describes the service organisation's system and the suitability of design of controls at a specific date. It tells you that controls were designed and implemented as of, say, 30 September 2025. It does not tell you whether those controls operated throughout the period.

A Type 2 report adds operating effectiveness testing over a specified period (ISAE 3402, paragraph 2(b)). The service auditor selects samples, tests whether controls operated as described, and reports deviations. This is the report that gives you evidence about whether the controls worked, not just whether they existed.

For substantive testing purposes, a Type 1 report is rarely sufficient on its own. If your audit strategy relies on the operating effectiveness of controls at the service organisation (which it usually does when the client outsources a significant process), you need a Type 2 report. ISA 402.13 makes this explicit: when the user auditor plans to rely on operating effectiveness, a Type 1 report provides only limited evidence.

When reading the Type 2 report, check four things immediately. What period does it cover? Which control objectives were tested? What was the service auditor's opinion (unmodified or modified)? Were any deviations noted in the detailed testing results? A clean opinion with multiple noted deviations in the detail still requires your evaluation.

How to evaluate control objectives and their relevance

Not every control objective in the report is relevant to your audit. A service organisation report for a payroll bureau might include 12 control objectives covering IT access, change management, backup and recovery, physical security, payroll calculation accuracy, tax remittance, and data integrity. If your client only uses the payroll calculation and tax filing services, the backup and recovery objective may be relevant (because data loss affects completeness), but the physical security objective for the data centre probably isn't.

Map each control objective to the financial statement assertions you identified during planning. ISA 402.9 requires this mapping. If a control objective doesn't relate to any assertion relevant to your audit, you can exclude it from your evaluation. Document the mapping and the rationale for any exclusions.

For each relevant control objective, read the service auditor's description of the controls, the tests performed, and the results. Pay attention to the population and sample sizes. A control tested once on a quarterly basis (four occurrences, all four tested) gives you different evidence than a control that operates daily (250 occurrences, 25 tested with 2 deviations).

The ISAE 3402 pack includes a pre-built structure for this mapping exercise, with columns that link each control objective to assertions and document the user auditor's evaluation of deviations.

CUECs: the controls the service organisation assumes you operate

This is where most user auditors fall short. ISA 402.15 states that the user auditor must determine whether the user entity has implemented the complementary user entity controls (CUECs) identified in the service organisation report. Every ISAE 3402 report lists CUECs. They represent the service organisation's assumption that the user entity operates certain controls without which the service organisation's controls cannot function as designed.

A common CUEC for payroll: "The user entity authorises all employee master data changes before submitting them to the service organisation." If the client doesn't have a formal authorisation process for master data changes, the service organisation's payroll calculation controls are built on an unverified input. The calculation might be perfectly accurate, but if unauthorised pay rate changes flow into the system, accuracy of the output doesn't mean accuracy of the expense.

Your responsibility under ISA 402.16 is to identify every CUEC in the report, determine whether the client has implemented it, and test its operating effectiveness if you plan to rely on the related service organisation control. This isn't a reading exercise. It requires testing.

CUECs fall into two categories. Some are assumed in the design of the service organisation's controls (the control literally cannot function without the user entity's input). Others are recommended as additional risk mitigation. Focus your testing on the first category. If a CUEC is assumed in design and the client hasn't implemented it, the corresponding control objective at the service organisation has a gap, regardless of what the Type 2 report says.

Document each CUEC, the client's corresponding control, the evidence you obtained, and your conclusion on operating effectiveness. If a CUEC is not implemented, evaluate the impact on your risk assessment and determine whether compensating controls exist at the client.

What to do when the report period falls short

The report covers 1 April 2025 to 30 September 2025. Your audit period ends 31 December 2025. Three months are uncovered. This is one of the most common practical problems user auditors face, and ISA 402.12(b) requires you to address it.

You have several options, and the appropriate choice depends on the length of the gap.

For gaps of up to three months, a bridge letter (also called a gap letter or management assertion letter) from the service organisation is standard practice. The letter is a management representation that controls continued to operate as described during the gap period, that no significant changes to the system occurred, and that no new material risks emerged. The bridge letter is not audited. It is a representation, not assurance. Document your reliance on it and the basis for concluding it is reasonable.

For gaps of three to six months, a bridge letter alone becomes more problematic. Consider supplementing it with inquiry of the client about any service disruptions or changes during the gap period, review of the client's own monitoring activities, and testing of a sample of transactions processed during the gap period.

For gaps exceeding six months, the report probably doesn't give you sufficient coverage. You'll need to perform substantive procedures over the outsourced process for the uncovered period, request an updated report or a separate engagement covering the gap, or treat the outsourced process as if no report exists and adjust your audit approach accordingly.

This three-month convention is industry practice. No ISAE or ISA standard codifies a specific acceptable gap period. Document your rationale for whichever approach you take, and anchor it in the overall assessment of risk for the outsourced process.

Fraud considerations at the service organisation

ISA 402.17 requires the user auditor to consider how the use of a service organisation affects the user entity's susceptibility to fraud. Most user auditors read the report, test CUECs, and stop. The fraud question gets a one-line note in the planning memo.

Think about it practically. The service organisation's employees have access to your client's data. For a payroll bureau, that means access to bank account details, salary rates, and tax information. For an IT hosting provider, it might mean access to the general ledger database. The fraud risk isn't theoretical.

Your evaluation should cover three areas. Does the service organisation report describe controls specifically designed to prevent or detect fraud by service organisation personnel (access restrictions, segregation of duties, exception monitoring)? Has the client experienced any anomalies in the outsourced process during the audit period (unexplained variances, complaints from employees about pay discrepancies, unusual transaction volumes)? Does the service organisation's description of the system identify any subservice organisations, and if so, are they covered by the report or carved out?

If the report uses the carve-out method for a subservice organisation, the subservice organisation's controls are excluded from the report. You need to determine whether the subservice organisation processes transactions that affect your client's financial statements and, if so, how you'll obtain evidence about those controls.

Worked example: evaluating the payroll report at Jansen Engineering B.V.

Scenario: Jansen Engineering B.V. manufactures precision components in Rotterdam. Revenue for the year ended 31 December 2025 was €32 million. Jansen outsources payroll processing for its 185 employees to Loon Services N.V. The engagement team received an ISAE 3402 Type 2 report for the period 1 January 2025 to 30 September 2025. Overall materiality for the audit is €160,000. Payroll expense for the year was €9.4 million.

1. Assess the report's scope and relevance.

The report covers five control objectives: payroll data input accuracy, payroll calculation, tax withholding and remittance, data backup and recovery, and logical access to the payroll system. All five are relevant to the payroll expense and payroll liability assertions. The service auditor issued an unmodified opinion.

Documentation note: Record the control objectives, the period covered, and the opinion type. Map each objective to the relevant financial statement line items (payroll expense, social security liabilities, wage tax liabilities, net salary payable).

2. Evaluate deviations in the testing results.

The detailed testing section reports one deviation in the payroll data input accuracy control objective: one instance out of 25 tested where a salary change was processed without the required dual authorisation at the service organisation. The service auditor concluded the deviation was isolated and did not affect the overall opinion.

Documentation note: Record the deviation, the control objective affected, the population size and sample size, and the service auditor's conclusion. Assess whether the deviation affects your risk assessment. One deviation in 25 tested items corresponds to a 4% observed deviation rate. For a control operating monthly (12 occurrences), one deviation is more significant than for a control operating daily. Determine the control's frequency from the report description.

3. Identify and test CUECs.

The report lists four CUECs: (a) user entity authorises all employee master data changes before submission, (b) user entity reviews monthly payroll summary report before payment execution, (c) user entity notifies Loon Services of terminated employees within 5 business days, (d) user entity reconciles payroll output to its general ledger monthly.

Test each one. For CUEC (a), select 10 master data changes from the HR records (new hires, pay rate changes, terminations) and verify authorisation by the HR manager. For CUEC (b), inspect the monthly payroll summary for six months and verify sign-off by the financial controller. For CUEC (c), select five terminations and check the notification date against the HR exit file. For CUEC (d), inspect six monthly reconciliations.

Documentation note: Record the CUEC, the test performed, the sample size, the results, and the conclusion. Flag any CUEC not implemented. At Jansen, CUEC (c) failed: two of five terminations were notified 8 and 12 business days after the employee's last day. Evaluate the impact: late notification means the terminated employee could have been included in a subsequent payroll run. Check whether the client's bank payment controls would have caught an erroneous payment.

4. Address the gap period.

The report runs to 30 September 2025. The audit period ends 31 December 2025. Three-month gap. Obtain the bridge letter from Loon Services management. Review it for the required assertions (no system changes, controls continued to operate, no new material risks, no subservice organisation changes). Supplement with inquiry of Jansen's financial controller about any payroll issues in Q4 and inspect the October, November, and December payroll reconciliations (CUEC (d)).

Documentation note: File the bridge letter. Record the supplementary procedures performed and their results. Conclude on whether the combined evidence (Type 2 report plus bridge letter plus supplementary procedures) is sufficient for the full audit period.

5. Consider fraud risk.

The report describes logical access controls restricting payroll data modification to authorised Loon Services employees. Segregation of duties separates data input from payment file generation. No subservice organisations are used. Inquire of Jansen management whether any payroll anomalies occurred during 2025. No issues reported.

Documentation note: Document the fraud consideration under ISA 402.17. Reference the access controls and segregation of duties described in the report. Record management's response to fraud inquiry regarding the outsourced process.

Evaluating the service auditor's competence and independence

ISA 402.12(a) requires the user auditor to consider the service auditor's professional competence and independence. This isn't a formality. If the service auditor lacks the necessary qualifications or is not independent of the service organisation, the report doesn't provide reliable evidence.

Check the service auditor's opinion letter. It should state compliance with ISAE 3402 (or SOC 1 for US-based reports). It should identify the firm and the engagement partner. If the service auditor is an unfamiliar firm, check their registration with the relevant professional body (NBA in the Netherlands, WPK in Germany, IRE/IBR in Belgium).

Independence is harder to verify from the outside, but red flags exist. Is the service auditor also the statutory auditor of the service organisation? This is permitted under some frameworks but creates a self-review risk. Does the service auditor provide other services to the service organisation that might compromise objectivity? If you have concerns, ISA 402.12(a) gives you the basis to request additional information or to perform alternative procedures.

For US SOC 1 reports received by European user auditors, confirm that the AICPA standards under which the report was issued provide substantially equivalent assurance to ISAE 3402. In most cases they do, but document the basis for your conclusion.

User auditor evaluation checklist

1. Confirm the report type (Type 1 or Type 2) and verify that a Type 2 report is available when your audit strategy relies on operating effectiveness of controls at the service organisation (ISA 402.13-14).
2. Evaluate the service auditor's professional competence and independence, including their registration with the relevant professional body and whether their opinion references compliance with ISAE 3402 (ISA 402.12(a)).
3. Map every control objective in the report to the financial statement assertions affected by the outsourced process, and exclude objectives not relevant to the audit with documented rationale.
4. Read the detailed testing results for every relevant control objective and evaluate each deviation, including its frequency relative to the control's operating frequency, not just the service auditor's overall conclusion.
5. List all CUECs from the report, test operating effectiveness for each CUEC that is assumed in the design of a relevant service organisation control, and document the impact of any CUEC failure on your overall assessment (ISA 402.15-16).
6. Address any gap between the report period end date and the audit period end date with a bridge letter (for gaps up to three months), supplementary procedures, or substantive testing over the uncovered period.

Common mistakes

• Relying on the service auditor's overall opinion without reading the detailed testing results. An unmodified opinion can coexist with multiple noted deviations. The AFM has flagged files where the user auditor filed the report without evaluating individual deviations against the specific control objectives relevant to the audit.
• Not testing CUECs at all, or treating the CUEC list as informational rather than as a testing requirement. ISA 402.15 is explicit: the user auditor determines whether the user entity has implemented the CUECs. This requires evidence, not assumption.
• Ignoring the gap period between the report date and the audit period end, particularly when the gap exceeds three months and no supplementary procedures are documented.

Related content

• Service organisation. Glossary entry covering the definition of a service organisation under ISA 402, the distinction between Type 1 and Type 2 reports, and when a report is needed.
• ISAE 3402 pack. The pack includes a user auditor evaluation structure with pre-built CUEC testing templates, deviation assessment columns, and a bridge letter template covering gap periods of varying length.
• ISAE 3402 vs SOC 2: which report does your client need?. [FUTURE POST] Comparison guide explaining when a European user auditor can rely on a US SOC 1 report and when an ISAE 3402 report is required.