You get the Type 2 SOC report in week three of fieldwork. Forty-eight pages. Four control exceptions. No-one on the team has read it. The payroll bureau numbers are booked, the custodian confirmations are back, the cloud accounting system reconciles to the ledger. But the controls that sit between your client’s data entry and those tied-out totals are somewhere inside those 48 pages, and nobody has looked.
That is an ISA 402 problem, and on about half our engagements it goes unnoticed until the partner review. ISA 402 asks the user auditor to understand the outsourced services that are part of the user entity’s information system, assess the risks they introduce, and decide whether a Type 1 or Type 2 report under ISAE 3402 (or something else) gives enough evidence to sign off.
Key Takeaways
- ISA 402 addresses the user auditor’s responsibilities when an audit client (the user entity) outsources services to a third party (the service organisation) that are relevant to the user entity’s financial reporting.
- The standard applies whenever outsourced services are part of the user entity’s information system relevant to financial reporting. Common examples include outsourced payroll, IT hosting, fund administration, claims processing, and transaction processing.
- Outsourcing does not transfer responsibility: the user entity remains responsible for its financial statements, and the user auditor remains responsible for the audit opinion. The auditor cannot simply disclaim responsibility because records are held elsewhere.
- The user auditor can get the understanding and evidence they need through direct procedures at the service organisation, or by using a Type 1 report (description and design of controls) or a Type 2 report (description, design, and operating effectiveness) issued under ISAE 3402 or an equivalent standard such as Service Organisation Control 1 (SOC 1).
- When using a Type 1 or Type 2 report, the user auditor has to evaluate the report’s sufficiency, timing, and relevance, then understand and test the complementary user entity controls (CUECs) that the service organisation has said are needed for its controls to work.
- The user auditor also has to look at subservice organisations (service organisations used by the service organisation itself) and decide whether they are handled through the inclusive method (covered in the report) or the carve-out method (excluded, and needing separate consideration).
- What is ISA 402?
- Key definitions
- When does ISA 402 apply?
- The user auditor’s responsibilities
- Type 1 and Type 2 reports
- Evaluating a Type 1 or Type 2 report
- Complementary user entity controls (CUECs)
- Subservice organisations
- When no report is available
- ISA 402 in your jurisdiction
- Frequently asked questions
Worked example: evaluating a service organisation report for a Dutch wholesale distributor
What is ISA 402?
ISA 402, titled “Audit Considerations Relating to an Entity Using a Service Organisation,” deals with something every European audit team now hits: entities outsource functions that feed directly into their financial statements. Payroll runs through a bureau. Investment transactions are executed and settled by a custodian. IT systems sit on cloud providers. Insurance claims are handled by third-party administrators.
When those outsourced functions form part of the user entity’s information system relevant to financial reporting, they fall inside the audit scope, even though the user auditor may never set foot in the service organisation or see its records. ISA 402 is the framework for handling that distance.
The standard sits alongside ISA 315 (understanding internal control) and ISA 330 (responding to assessed risks), extending those requirements into the outsourced environment.
Key definitions
| Term | Definition |
|---|---|
| User entity | The entity whose financial statements are being audited (the audit client) |
| Service organisation | A third-party organisation that provides services to user entities that are part of those entities’ information systems relevant to financial reporting |
| User auditor | The auditor who audits the user entity’s financial statements |
| Service auditor | The auditor who reports on controls at the service organisation (under ISAE 3402 or equivalent) |
| Subservice organisation | A service organisation used by another service organisation to provide services that are part of the user entity’s information system |
| Complementary user entity controls (CUECs) | Controls that the service organisation’s system design assumes will be implemented by the user entity. The service organisation’s controls only work properly if these are in place. |
| Type 1 report | A report on the description and design of controls at the service organisation at a specific date |
| Type 2 report | A report on the description, design, and operating effectiveness of controls at the service organisation for a specified period |
When does ISA 402 apply?
ISA 402 applies when the services provided by a service organisation are part of the user entity’s information system relevant to financial reporting. ISA 402.A1 provides examples:
- Transaction processing: payroll bureaux, payment processing, custodian services, fund administration.
- Record-keeping: maintaining the general ledger or subsidiary records for the user entity.
- IT hosting: cloud-based accounting systems, ERP hosting, data centres that store financial data.
- Investment management: portfolio management, trade execution and settlement.
- Claims processing: insurance claims administration, benefits processing.
Not every outsourced service pulls in ISA 402. Running the staff canteen or cleaning the office (even though both are outsourced) sits outside the financial reporting information system and does not trigger the standard.
ISA 402 keeps getting broader
Cloud migration has widened the footprint of this standard. An entity using cloud-hosted accounting software (Exact Online, Xero, QuickBooks Online, SAP Business ByDesign) is using a service organisation. An entity with payroll processed externally (which is the default for Dutch SMEs) is using a service organisation. A pension fund with asset management outsourced to a fund manager is using a service organisation. In our experience, audit teams underestimate how much of the client’s financial reporting actually sits at third parties. During planning, walk through every outsourced function and ask whether it touches the information system relevant to financial reporting.
The user auditor’s responsibilities
Obtaining an understanding
ISA 402.9–10 asks the user auditor to obtain an understanding of four things:
(a) The nature of the services provided by the service organisation, and how significant those services are to the user entity, including their effect on internal control.
(b) The nature and materiality of the transactions processed, or the accounts and financial reporting processes affected by the service organisation.
(c) The degree of interaction between the service organisation’s activities and those of the user entity, including the terms of the contract or service level agreement.
(d) The user entity’s own internal control as it relates to the outsourced services, specifically the controls the user entity applies to transactions processed by the service organisation.
Sources of information
The user auditor can get this understanding from several sources (ISA 402.A12):
- The service organisation’s user manuals and system descriptions.
- The contract or service level agreement between the user entity and the service organisation.
- Reports by the service auditor (Type 1 or Type 2 reports).
- Inquiries of user entity management about their monitoring of the service organisation.
- Prior-year experience with the service organisation.
- Direct contact with the service organisation (subject to contractual and confidentiality constraints).
Type 1 and Type 2 reports
The usual way a user auditor learns about controls at a service organisation is through a service auditor’s report issued under ISAE 3402, “Assurance Reports on Controls at a Service Organisation.” In the US the equivalent is the Service Organisation Control 1 (SOC 1) report under SSAE 18. Global service organisations often issue both.
Type 1 report
A Type 1 report gives the service auditor’s opinion on the description of the service organisation’s system and the suitability of design of controls to meet specified control objectives. It is as of a specific date. It tells you what the controls looked like at that moment, but gives no evidence that they actually worked.
For the user auditor, a Type 1 report helps with the ISA 315 understanding piece. It does not support reliance under ISA 330.
Type 2 report
A Type 2 report includes everything in a Type 1 plus the operating effectiveness of the controls, the service auditor’s tests, and the results of those tests. It covers a specified period, not a single date. When the scope and timing line up with the audit, a Type 2 report can support the user auditor’s assessment of control risk, provided the user auditor is satisfied with the service auditor’s competence, the report’s coverage, and the results of the tests.
This is where the work tends to go quiet. At firms like ours the SOC 1 review is too often a tick box exercise. Someone opens the report, reads the exceptions section, ticks. Nobody on the team wants to raise a SOC exception with the partner at 11pm the night before clearance. But that is exactly when they tend to surface.
| Type 1 Report | Type 2 Report | |
|---|---|---|
| What it covers | Description and design of controls | Description, design, and operating effectiveness |
| Period / date | As of a specific date | For a specified period |
| Tests of controls | None | Yes, with results |
| Useful for ISA 315 (understanding) | Yes | Yes |
| Useful for ISA 330 (reliance on controls) | No | Yes, if properly evaluated |
| Issued under | ISAE 3402 (or SOC 1 in US context) | ISAE 3402 (or SOC 1 in US context) |
Evaluating a Type 1 or Type 2 report
ISA 402.12–13 asks the user auditor to evaluate the report before relying on it. In my experience the evaluation breaks into five separate questions, each of which needs a real answer on file rather than a tick.
The service auditor. The user auditor has to be satisfied with the service auditor’s professional competence and independence. Checking credentials, firm reputation, and regulatory standing is the starting point.
The timing. The report’s date (Type 1) or period (Type 2) has to line up with the audit. A Type 2 report covering January to September does not give evidence for October to December. The user auditor has to think about what covers that gap. (More on this below.)
The scope. The report has to cover the services and controls relevant to the user entity’s financial statements. Service organisations often provide many services, and only some of them matter for the specific user entity in front of you.
The results. For a Type 2 report, the user auditor considers whether any deviations or exceptions the service auditor flagged affect the planned reliance. A report with numerous exceptions may not give the assurance the team assumed it would.
The CUECs. The report will usually identify CUECs that the service organisation’s controls assume are in place at the user entity. The user auditor has to understand them and test whether the user entity has actually put them in place.
Complementary user entity controls (CUECs)
CUECs are the most practically important (and the most often missed) part of ISA 402. Service organisations design their controls on the assumption that the user entity will do certain things. Four common examples:
- Authorisation of transactions. The service organisation processes what the user entity submits, so the user entity has to make sure only properly authorised transactions are submitted.
- Reconciliation of reports. The service organisation produces output reports, and the user entity has to reconcile them to its own records to catch errors or omissions.
- Access controls. The service organisation may provide the system, and the user entity manages user access rights and segregation of duties.
- Review of processing results. The user entity reviews the accuracy and completeness of what the service organisation produced.
If the user entity has not implemented the CUECs listed in the service auditor’s report, the service organisation’s controls may not be effective, even when the Type 2 report shows no deviations. CUECs have to be tested as part of the audit.
CUECs are where the real risk lies
In our experience, control failures tied to service organisations are far more likely to happen at the user entity level (through failure to implement CUECs) than at the service organisation level. The service organisation is usually a specialist processing thousands of transactions for many clients, with controls that are well-designed and well-tested. The individual user entity often does not understand or consistently perform the reconciliations, authorisations, and reviews that make the whole thing work end-to-end. You still see CUEC documentation with “appears reasonable. Waive further pursuit.” scribbled next to the reconciliation control. That is not evaluation. Read the CUECs section carefully, and test whether the user entity is actually performing them.
Subservice organisations
ISA 402.18 deals with the case where the service organisation itself outsources certain functions to a subservice organisation. A payroll bureau may use a cloud hosting provider for its IT infrastructure. A fund administrator may use a third party for trade settlement.
The service auditor’s report handles the subservice organisation in one of two ways.
Inclusive method. The subservice organisation’s controls are built into the service organisation’s system description and covered by the service auditor’s testing. The user auditor can rely on the report for both the service organisation and the subservice organisation.
Carve-out method. The subservice organisation’s services are described in the report but its controls are excluded from testing. The user auditor has to separately consider the subservice organisation’s controls by getting a separate report, performing direct procedures, or engaging another auditor.
When no report is available
Not every service organisation issues an ISAE 3402 report. In that case ISA 402.A18 lists four possible routes. Pick the one that fits the evidence gap rather than defaulting to whichever is easiest.
- Visit the service organisation. The user auditor may contact the service organisation and perform procedures directly, subject to contractual arrangements.
- Use another auditor. The user auditor may engage another auditor to perform procedures at the service organisation.
- Run alternative procedures at the user entity. The user auditor may design substantive procedures that give enough evidence without relying on controls at the service organisation. That typically means obtaining and testing all output reports from the service organisation, reconciling to source data, and doing additional substantive work on the affected account balances.
- Combine the above. In our experience, the gap at the tail end of the period is usually closed with a bridging letter plus additional substantive testing over the uncovered weeks.
ISA 402 in your jurisdiction
Netherlands. COS 402 follows ISA 402 closely. The Dutch market has high penetration of outsourced services. Payroll bureaux (salarisadministratie) are used by the vast majority of SMEs, and investment fund administration is commonly outsourced. The NBA provides guidance on evaluating ISAE 3402 reports. The AFM’s inspections have identified that some auditors insufficiently evaluate whether the scope and timing of Type 2 reports are adequate for their purposes and that CUEC testing is frequently incomplete.
Germany. IDW PS 402 adapts ISA 402. German practice also recognises the IDW PS 951 standard (Prüfung des internen Kontrollsystems bei Dienstleistungsunternehmen), which is the German equivalent of ISAE 3402 and was historically used before ISAE 3402 became widespread. The WPK’s inspections focus on whether user auditors adequately consider the significance of outsourced functions during planning.
United Kingdom. ISA (UK) 402 is substantively aligned with ISA 402. The FRC has noted in inspections that the use of service organisations is rising (particularly cloud-based IT), and that some auditors are slow to see the implications for their audit approach. UK-specific considerations include the financial services sector, where the outsourcing of fund administration, custody, and transfer agency functions makes ISA 402 considerations pervasive.
France. NEP 402 implements ISA 402 within the French statutory framework. French practice also has to consider the specific requirements of the H3C regarding outsourced functions, particularly for PIE audits. The joint audit (co-commissariat aux comptes) structure adds a layer of coordination when service organisations are involved. Both auditors have to agree on the approach to the service organisation and the evaluation of reports.
Frequently asked questions
Does outsourcing affect the entity’s responsibility for its financial statements?
No. ISA 402 is clear: the user entity’s management remains responsible for the financial statements and for maintaining effective internal control, regardless of outsourcing. Similarly, the user auditor retains full responsibility for the audit opinion. Outsourcing does not reduce or transfer audit responsibility.
What is the difference between an ISAE 3402 report and a SOC report?
ISAE 3402 is the international standard issued by the IAASB for assurance reports on controls at service organisations. SOC 1 (Service Organisation Controls) reports are issued under the US AICPA’s SSAE 18 and serve the same purpose. In practice, many global service organisations issue both. Or issue reports under a “bridge letter” that maps between the two standards. For European audits, ISAE 3402 is the directly applicable standard.
What if the Type 2 report doesn’t cover the full audit period?
The user auditor must consider what additional evidence is needed for the uncovered period. Options include: obtaining a bridging letter from the service organisation (confirming no significant changes), performing additional procedures at the user entity to cover the gap period, or testing the user entity’s monitoring controls over the service organisation for the remaining period.
Do cloud-based accounting systems trigger ISA 402?
On virtually every engagement we have worked, yes. If the cloud system is part of the user entity’s information system relevant to financial reporting (which by definition it is, if it is the entity’s accounting system) then ISA 402 applies. The user auditor has to understand the controls at the cloud provider and decide whether a Type 1 or Type 2 report is available and fit for purpose.
What if the user auditor disagrees with the service auditor’s conclusions?
The user auditor is responsible for their own conclusions. If the user auditor has concerns about the service auditor’s report (due to scope limitations, qualifications, or concerns about the service auditor’s competence) the user auditor must consider the implications for the audit and may need to perform additional procedures, modify the risk assessment, or seek additional evidence.
Further reading and source references
- IAASB Handbook 2024: ISA 402 full text: The authoritative source including all application material.
- ISAE 3402: Assurance Reports on Controls at a Service Organisation: the standard governing the service auditor’s report.
- ISA 315 (Revised 2019): Identifying and Assessing Risks: the risk assessment framework that ISA 402 extends to service organisations.
- ISA 330: The Auditor’s Responses to Assessed Risks: governs how the user auditor uses evidence from service organisation reports.
- ISA 600: Special Considerations: Audits of Group Financial Statements: relevant where service organisations or shared service centres operate within group structures.
This guide reflects the ISA 402 text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.
Production-ready audit templates
Related ciferi content
ISA 402 deep dives:
Related ISA guides:
Put audit concepts into practice with these free tools: