How to Review a Service Organisation Report (SOC/ISAE 3402)

The client’s payroll runs through an external bureau. Their investment transactions clear through a third-party custodian. Their entire general ledger sits in a cloud-hosted ERP managed by a service organisation. You requested the Type II report in October, received a 200-page PDF in November, and now it’s sitting in the file with a note that says “obtained and reviewed.” The partner asks what complementary user entity controls you tested. You open the report for the first time and realise you don’t know where to find them.

A service organisation report under ISAE 3402.4 (or SSAE 18 SOC 1 in US engagements) provides the user auditor with information about controls at a service organisation relevant to the user entity’s financial reporting, and the user auditor reviews this report under ISA 402.15 to evaluate whether it provides sufficient appropriate audit evidence about the design and operating effectiveness of those controls.

Type I versus Type II: which report you need and why

ISAE 3402 produces two report types, and the distinction drives your entire audit approach to the service organisation’s controls.

A Type I report covers design and implementation at a point in time. The service auditor evaluates whether the controls described in the report are suitably designed and have been placed in operation as of a specific date. ISAE 3402.2(b) defines this. A Type I report tells you what controls exist. It doesn’t tell you whether they worked over a period.

A Type II report covers design, implementation, and operating effectiveness over a stated period (typically six or twelve months). ISAE 3402.2(a) defines this. The service auditor tests the controls and reports exceptions. A Type II report tells you both what controls exist and whether they operated effectively during the reporting period.

For most audit engagements where the user entity relies on a service organisation for a financially significant process, you need a Type II report. ISA 402.15 requires you to evaluate whether the service auditor’s report provides sufficient appropriate evidence about the operating effectiveness of controls. A Type I report can’t satisfy this because it doesn’t test operating effectiveness. A Type I report is only sufficient when you plan no control reliance and are using the report solely to understand the service organisation’s processing environment.

What ISA 402 requires you to do with the report

ISA 402 doesn’t let you treat a service organisation report as a pass/fail certificate. Obtaining the report is step one. Reviewing it is where the audit evidence is generated.

ISA 402.15 requires the user auditor to evaluate whether the Type II report provides sufficient appropriate audit evidence. That evaluation involves four specific assessments:

1. Assess relevance. Identify which control objectives in the report map to assertions you’re testing. A payroll service bureau’s report may cover 80 controls. Not all 80 are relevant to your client’s financial statements.
2. Assess the service auditor. ISA 402.16 requires you to evaluate professional competence and independence. Check whether the service auditor is a licensed firm and whether the report states compliance with ISAE 3402 or SSAE 18.
3. Read the opinion. A qualified opinion or reported exceptions on specific controls require you to assess the impact on your audit. An exception on a control you’re relying on doesn’t automatically mean your audit approach fails, but it does mean you need to determine whether the exception affects the user entity’s transactions.
4. Evaluate the testing results. Section IV of a typical Type II report lists every control objective, the test performed, and any exceptions. Read this section for the controls relevant to your audit.

How to read a Type II report efficiently

A full Type II report for a mid-size service organisation runs 100 to 250 pages. You don’t need to read every page. You need to read five sections, and you need to read them in a specific order.

Start with Section I (the service organisation’s description of its system). Skim this for the process flow relevant to your client’s transactions. Identify the input points, the processing steps, and the output points.

Move to Section IV (tests of controls and results). The audit evidence lives here. For each control objective relevant to your engagement, read the control description, the test performed, and the result. Focus on exceptions. A report with zero exceptions across all tested controls is unusual for a complex service organisation; if you see one, read more carefully rather than less.

Then read Section II (the service auditor’s opinion). Confirm it’s unqualified for the controls you care about.

Read Section III (the service organisation’s management assertion). This confirms that management asserts the description is fairly presented, the controls are suitably designed, and (for Type II) the controls operated effectively.

Finally, read Section V (complementary user entity controls). This is the section that creates work for you on the user entity side. Skip it and you’ve missed the controls the service organisation explicitly says are your client’s responsibility.

Complementary user entity controls: the section most teams skip

Every ISAE 3402 report includes a list of complementary user entity controls (CUECs). These are controls the service organisation assumes the user entity operates. The service organisation’s controls are designed on the assumption that these user-side controls function. If they don’t, the service organisation’s controls may not achieve their objectives even if they’re operating effectively on the service organisation’s side.

CUECs are typically found in Section V of the report or embedded in the system description in Section I. Common examples include: restricting access to the interface used to submit data to the service organisation, reconciling output reports from the service organisation to the user entity’s own records, and reviewing exception reports generated by the service organisation’s system.

ISA 402.15(b) requires you to evaluate whether the Type II report provides evidence about the operating effectiveness of the controls. But CUECs aren’t tested by the service auditor. They’re tested by you, on the user entity side. If a CUEC is relevant to an assertion you’re testing and you haven’t tested it, you have a gap in your evidence.

The practical approach: extract every CUEC from the report into a separate working paper. Map each one to the assertion it supports. Determine which CUECs are relevant to your audit. Test those CUECs at the user entity. Document the results alongside your evaluation of the service organisation report. A finding that the user entity doesn’t operate a relevant CUEC has the same effect as finding that a control at the service organisation didn’t operate. It changes your evidence base.

When the report period doesn’t match your audit period

This is the most common practical problem with service organisation reports, and it’s the one with the most direct regulatory consequence.

Your client’s financial year ends 31 December 2024. The service organisation’s Type II report covers 1 April 2023 to 31 March 2024. You have nine months of uncovered period. ISA 402.12 requires the user auditor to determine what additional audit procedures are needed to obtain sufficient appropriate audit evidence about the relevant controls during the period not covered by the report.

Four options exist:

1. Obtain a bridge letter from the service organisation confirming no significant changes occurred between the report period end and your audit period end. This is the most common approach for gaps of six months or less.
2. Request an updated report with a period that covers or more closely aligns with your audit period.
3. Perform your own procedures at the service organisation (rare for mid-tier engagements, but ISA 402.12(c) permits it).
4. Perform additional substantive procedures at the user entity to cover the gap period without relying on the service organisation’s controls.

Document which option you used and why. The AFM has specifically flagged files where the gap between the Type II report period and the audit period exceeded six months with no documented bridge procedure. This is a binary pass/fail check for inspectors: either you addressed the gap or you didn’t.

Worked example: De Groot Pensioenbeheer B.V.

Scenario: De Groot Pensioenbeheer B.V. is a Dutch pension fund administrator with €320M in assets under administration, audited by a mid-tier firm. De Groot outsources investment transaction processing and custody to Vermeer Capital Services B.V. The engagement team received a Type II report from Vermeer’s service auditor (covering 1 July 2023 to 30 June 2024) for the FY2024 audit (year ending 31 December 2024).

Step 1: Identify relevant control objectives

The engagement team mapped De Groot’s significant accounts (investment income, realised gains/losses, investment valuations) to Vermeer’s Type II report. Of the 64 control objectives in Vermeer’s report, 11 were relevant to De Groot’s financial statement assertions. These 11 covered trade execution, settlement, corporate actions processing, and position reconciliation.

Documentation note: Create a mapping table in your working paper with columns for the De Groot assertion, the Vermeer control objective number, and a relevant (Y/N) field with rationale. Cross-reference to your risk assessment working paper (WP ref: C.4.1).

Step 2: Evaluate the service auditor

Vermeer’s report was issued by Jansen & Partners Accountants, a firm registered with the NBA (Royal Netherlands Institute of Chartered Accountants). The report stated compliance with ISAE 3402. The engagement team confirmed Jansen & Partners’ registration on the NBA public register and noted their SRA membership.

Documentation note: Record the service auditor’s name, registration body, and the standard cited. ISA 402.16 requires this evaluation. A one-line note is sufficient if no red flags exist.

Step 3: Read the opinion and test results

The service auditor issued an unqualified opinion on Vermeer’s controls. In the tests of controls section, the engagement team identified two exceptions relevant to De Groot. Exception 1: for control objective 7 (trade execution authorisation), 2 of 25 sampled trades lacked pre-trade compliance confirmation. Exception 2: for control objective 11 (monthly position reconciliation), 1 of 12 monthly reconciliations was completed 8 days after the deadline.

Documentation note: For each exception, document the control objective number, the population and sample sizes reported, the number of deviations, and your assessment of impact on De Groot’s transactions. For Exception 1, the engagement team queried Vermeer to determine whether either trade involved De Groot. Neither did. For Exception 2, the late reconciliation covered August 2024 and was eventually completed with no differences noted.

Step 4: Extract and test CUECs

Vermeer’s report listed 8 CUECs. The engagement team identified 4 as relevant to De Groot’s assertions: (1) De Groot must authorise all trade instructions through Vermeer’s secure portal, (2) De Groot must reconcile Vermeer’s monthly custody statements to its own investment records, (3) De Groot must review corporate action notifications within 5 business days, and (4) De Groot must restrict portal access to authorised investment staff.

Documentation note: Test each relevant CUEC at De Groot. For CUEC 2, the engagement team inspected the December 2024 reconciliation prepared by De Groot’s investment operations team and found it completed on time with two differences investigated and resolved. Record the test, the evidence examined, and the result.

Step 5: Address the period gap

Vermeer’s report covered 1 July 2023 to 30 June 2024. De Groot’s audit period ends 31 December 2024. The gap is six months. The engagement team obtained a bridge letter from Vermeer dated 15 January 2025, signed by Vermeer’s chief operating officer, confirming no significant changes to the control environment, key personnel, or IT systems between 1 July 2024 and 31 December 2024. The engagement team also performed inquiry of De Groot’s investment director, who confirmed no service disruptions or control changes communicated by Vermeer during the gap period.

Documentation note: Retain the bridge letter in the file (WP ref: C.4.5). Document your assessment of whether the bridge letter, combined with management inquiry at De Groot, provides sufficient evidence under ISA 402.12 to extend reliance to 31 December 2024.

Review conclusion

The engagement team concluded that Vermeer’s Type II report, combined with CUEC testing at De Groot and the bridge letter covering the gap period, provided sufficient appropriate evidence under ISA 402.15 to support planned control reliance for investment transaction processing and custody. The two exceptions identified did not affect the engagement team’s overall assessment because neither impacted De Groot’s transactions (Exception 1) and the late reconciliation did not result in undetected errors (Exception 2).

Practical checklist for reviewing a service organisation report

1. Before requesting the report, identify which service organisations are relevant to your audit and which assertions they affect. Map these in your risk assessment working paper under ISA 402.9 so the report request is targeted, not generic.
2. When the report arrives, go straight to Section IV (tests of controls). Read exceptions first for the control objectives you mapped as relevant.
3. Extract all CUECs into a separate working paper. Map each to an assertion. Test the relevant ones at the user entity. An untested CUEC that’s relevant to a relied-upon control objective is a gap in your evidence.
4. Check the report dates against your audit period. If any gap exists, document how you addressed it (bridge letter, additional procedures, or extended substantive testing) per ISA 402.12.
5. Evaluate the service auditor’s competence and independence per ISA 402.16. Check their registration with a recognised professional body and confirm the report cites ISAE 3402 or SSAE 18.
6. Write your conclusion. State which control objectives you relied on, whether the report (combined with CUEC testing and gap procedures) provides sufficient evidence, and reference the specific working papers containing your assessment.

Common mistakes regulators flag

• The AFM’s 2023 thematic review found that several audited files contained a Type II report with no documented evaluation of the report’s content. The report was obtained and filed, but the working paper contained no mapping of relevant control objectives, no assessment of exceptions, and no evaluation of CUECs. ISA 402.15 requires evaluation, not just possession.
• The FRC’s 2022–23 inspection cycle noted that firms frequently failed to address the gap between the Type II report period and the audit period. In multiple files, the report ended six or more months before the financial year end with no bridge letter, no additional procedures, and no documented rationale for extending reliance beyond the report period.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: the authoritative source for the complete ISA 402 text, including all application material on using the work of a service auditor.
• ISAE 3402, Assurance Reports on Controls at a Service Organisation: the standard governing the service auditor’s report you’re reviewing.
• ISA 315 (Revised 2019), Identifying and Assessing Risks of Material Misstatement: the risk assessment that determines which service organisation controls are relevant.
• ISA 265, Communicating Deficiencies in Internal Control: reporting deficiencies discovered during your review of service organisation controls or CUEC testing.