You’re planning fieldwork on a mid-size client that outsources payroll, pension administration, IT hosting, and payment processing. The client hands you four ISAE 3402 reports. One is Type I from 18 months ago. Another covers January to September, but the client’s year-end is December. A third describes controls using the carve-out method, and the subservice organisation has no report at all. The fourth covers the right period but the opinion is qualified. Every gap here requires a documented response in your file before you can sign off, and in our experience this is the area where review notes pile up fastest.
ISAE 3402 provides the framework for service auditors to examine and report on controls at service organisations. It produces Type 1 reports (design and implementation) or Type 2 reports (operating effectiveness) that user auditors rely on when the entity outsources functions affecting financial reporting.
- Why ISAE 3402 matters
- Scope and key definitions
- Type 1 vs. Type 2 reports
- The system description
- Subservice organisations: carve-out vs. inclusive method
- Complementary user entity controls (CUECs)
- The service auditor’s procedures
- The service auditor’s report
- The user auditor’s perspective under ISA 402
- ISAE 3402 vs. SOC 1 and SOC 2
- European jurisdiction implementations
- Relationship with other standards
Why ISAE 3402 matters
Modern businesses outsource critical functions. Payroll processing, pension administration, IT hosting, fund accounting, payment processing, document management. These services are performed by specialised organisations on behalf of client entities. When an entity outsources a function that affects its financial reporting, the auditor faces a problem. The internal controls over that function sit inside another organisation entirely. ISAE 3402 solves this by providing a framework for a service auditor to examine and report on those controls, producing a report that user entities and their auditors can rely on.
For European audit firms, ISAE 3402 creates work on both sides of the engagement. As a service auditor, the firm performs the examination and issues the report (a recurring, high-value engagement). As a user auditor, the firm relies on ISAE 3402 reports obtained by its audit clients, avoiding the need to perform audit procedures directly at the service organisation. Understanding both roles is essential. The Netherlands, with its concentration of pension administrators, shared service centres, payroll providers, and financial services outsourcing, is one of the most active ISAE 3402 markets in Europe.
Scope and key definitions
ISAE 3402, issued in December 2009 and effective from 15 June 2011, provides requirements for reasonable assurance engagements to report on controls at a service organisation. It operates within the ISAE 3000 framework. Compliance with both ISAE 3000 and ISAE 3402 is required.
The key parties in an ISAE 3402 engagement are:
| Party | Role |
|---|---|
| Service organisation | The entity that provides services to user entities (e.g., a payroll processor, pension administrator, IT hosting provider) |
| User entity | The entity that uses the service organisation’s services (e.g., the company that outsources its payroll) |
| Service auditor | The practitioner who examines and reports on the service organisation’s controls |
| User auditor | The auditor of the user entity’s financial statements, who relies on the ISAE 3402 report |
| Subservice organisation | A service organisation used by the primary service organisation (e.g., a cloud provider used by the payroll processor) |
ISAE 3402’s scope is limited. The standard focuses specifically on controls that are likely to be relevant to user entities’ internal control as it relates to financial reporting. Controls related purely to the service organisation’s operational efficiency, data privacy (in isolation from financial reporting), or regulatory compliance fall outside ISAE 3402’s scope unless they also affect user entities’ financial reporting controls. Engagements covering non-financial controls (such as security, availability, or processing integrity) are typically performed under ISAE 3000 as SOC 2-type engagements.
Type 1 vs. Type 2 reports
ISAE 3402 defines two report types, and the distinction matters more than first-time issuers expect.
Type 1 report: design and implementation
A Type 1 report covers a specific point in time and provides an opinion on:
- Whether the service organisation’s description of its system is fairly presented
- Whether the controls are suitably designed to achieve the stated control objectives
- Whether the controls have been implemented (i.e., they exist and the organisation has put them into operation)
A Type 1 report does not test whether controls operated effectively over time. It is a snapshot. Were the controls properly designed and in place on the specified date?
Type 1 is appropriate for first-time ISAE 3402 engagements (as a stepping stone to Type 2), new service organisations, or when user entities need initial assurance on control design before committing to a service arrangement.
Type 2 report: design and operating effectiveness over a period
A Type 2 report covers a specified period (typically 12 months, aligned with the user entities’ financial reporting periods) and provides an opinion on everything in a Type 1 report, plus:
- Whether the controls operated effectively throughout the specified period
The service auditor tests controls over the entire period, not just at a point in time. This is what makes Type 2 reports significantly more valuable: they demonstrate that controls were not just designed well but were consistently applied.
Type 2 is appropriate for established service organisations where user auditors need to rely on controls operating effectively throughout the audit period. Most sophisticated user entities and their auditors require Type 2 reports.
Period coverage matters. If a Type 2 report covers 1 January to 30 September but the user entity’s financial year runs to 31 December, the user auditor has to deal with the gap. That usually means additional procedures for the uncovered period (October to December) or a “bridge letter” from the service organisation confirming no significant changes in controls during the gap. Skipping this is how files get flagged.
The system description
The service organisation prepares a description of its system, which forms the subject matter of the engagement. The description must include, as appropriate:
| Element | Content |
|---|---|
| Types of services provided | What the service organisation does for user entities |
| Classes of transactions | Transaction types processed (e.g., payroll transactions, investment transactions, payment processing) |
| Related records and accounts | How transactions flow through the system and affect financial records |
| Processes and procedures | How services are delivered, including IT systems |
| Controls | Specific controls relevant to the control objectives |
| Control objectives | What each control is designed to achieve |
| Complementary user entity controls | Controls that the service organisation assumes user entities will implement |
| Subservice organisations | Services provided by third parties and how they are handled (carve-out or inclusive method) |
The description must be fairly presented. It must be accurate, complete, and not misleading. The service auditor evaluates whether the description fairly presents the system as designed and implemented (Type 1) or as designed, implemented, and operating throughout the period (Type 2).
Subservice organisations: carve-out vs. inclusive method
When a service organisation itself uses another service organisation (a subservice organisation), two methods handle this in the report:
Carve-out method
The subservice organisation’s controls are excluded from the service organisation’s system description and the service auditor’s examination. The description identifies the nature of the services performed by the subservice organisation and states that its controls have been carved out. The user auditor must separately evaluate the subservice organisation’s controls (by obtaining a separate ISAE 3402 report from the subservice organisation or performing procedures directly).
Inclusive method
The subservice organisation’s controls are included in the service organisation’s system description and the service auditor’s examination. The service auditor tests the subservice organisation’s controls as part of the engagement. This produces a more complete report for user auditors, who can rely on the single report for both the service organisation and the subservice organisation.
| Factor | Carve-Out | Inclusive |
|---|---|---|
| Description scope | Excludes subservice org | Includes subservice org |
| Testing scope | Service org controls only | Both service and subservice org controls |
| User auditor burden | Must separately evaluate subservice org | Can rely on combined report |
| Practical complexity | Simpler for service auditor | Requires cooperation/access to subservice org |
| Common usage | More prevalent (subservice orgs often reluctant to open up) | Used when subservice org cooperates |
Cloud providers. The carve-out method is almost universal for major cloud infrastructure providers (AWS, Azure, Google Cloud). These providers issue their own ISAE 3402 or SOC 1 reports separately, and the service organisation using their infrastructure carves them out. User auditors then evaluate two reports: the service organisation’s and the cloud provider’s.
Complementary user entity controls (CUECs)
ISAE 3402 recognises that the service organisation’s controls alone may not be sufficient. The system description identifies controls that the user entity is expected to implement. These are called complementary user entity controls.
For example, a payroll processing service organisation assumes that user entities will authorise payroll changes before submitting them for processing. The service organisation processes what it receives, but the control over authorisation sits with the user entity.
CUECs are critical for user auditors. If the service organisation’s controls are designed on the assumption that the user entity performs certain controls, and the user entity fails to implement those controls, the combined control environment has a gap. The user auditor must evaluate whether the user entity has implemented the CUECs identified in the ISAE 3402 report.
The service auditor’s procedures
For Type 1 reports
- Obtain the service organisation’s description of its system
- Evaluate whether the description is fairly presented
- Evaluate whether controls are suitably designed to achieve control objectives
- Test that controls have been implemented (placed in operation) at the specified date
- Obtain written representations from management
- Form an opinion and issue the report
For Type 2 reports
All Type 1 procedures plus:
- Design and perform tests of controls to evaluate operating effectiveness over the period
- When sampling is used, determine appropriate sample sizes considering the nature of controls, frequency of performance, expected deviation rate, and desired confidence level
- Evaluate the results of testing, including any deviations (control exceptions)
- If using internal audit work, evaluate the objectivity and competence of internal auditors and reperform selected procedures
Dealing with exceptions
When tests of controls reveal deviations (exceptions), the service auditor must:
- Determine the nature, cause, frequency, and significance of the deviation
- Evaluate whether the deviation represents a design deficiency, an implementation failure, an operating effectiveness failure, or a combination
- Consider whether the deviation affects the opinion (individually or in combination with other deviations)
- Describe the exception in the report. Type 2 reports must include a description of the tests of controls and their results, including any exceptions identified
User auditors then evaluate the significance of reported exceptions for their specific audit clients.
The service auditor’s report
Type 1 report opinion covers
(a) The description is fairly presented as at [date]
(b) Controls related to the control objectives are suitably designed
(c) Controls were implemented as at [date]
Type 2 report opinion covers
(a) The description is fairly presented throughout the period [date to date]
(b) Controls related to the control objectives are suitably designed throughout the period
(c) Controls operated effectively throughout the period to provide reasonable assurance that control objectives were achieved
Report attachments
The report includes the system description prepared by the service organisation (management’s description), management’s assertion (a written statement asserting the description is fairly presented and controls are suitably designed, and for Type 2, operated effectively), and the service auditor’s report itself (the opinion plus description of procedures).
For Type 2 reports specifically, the report must include:
- A description of the tests of controls performed by the service auditor
- The results of those tests, including exceptions identified
This detail is essential. User auditors need to understand what was tested, how it was tested, what was found, and what exceptions were identified in order to evaluate whether they can rely on the controls for their own audit purposes.
Modified opinions
The service auditor may issue a qualified or adverse opinion when:
- The description is not fairly presented in some material respect
- Controls are not suitably designed to achieve a stated control objective
- Controls did not operate effectively throughout the specified period (Type 2)
- A combination of the above deficiencies exists that is pervasive
A disclaimer may be issued when a scope limitation prevents the service auditor from obtaining sufficient appropriate evidence.
The user auditor’s perspective under ISA 402
On the other side of the equation, ISA 402 (Audit Considerations Relating to an Entity Using a Service Organisation) guides user auditors in evaluating and relying on ISAE 3402 reports. The user auditor must:
- Obtain an understanding of the nature and significance of services provided and their effect on the user entity’s internal control
- Obtain sufficient appropriate evidence about controls at the service organisation, typically by reading the ISAE 3402 report
- Evaluate the report: Is it from a competent, independent service auditor? Does it cover the relevant period? Does the opinion support reliance? What exceptions were identified?
- Evaluate CUECs: has the user entity implemented the complementary controls the service organisation assumes?
- Consider the effect of subservice organisations (especially if carved out)
Don’t just file the report. A common audit quality failing is treating the ISAE 3402 report as a tick box exercise. Obtain it, file it, move on. The user auditor must actively read the report, evaluate the relevance of control objectives, assess exceptions, consider the period covered, and check CUECs at the user entity. The file should tell a story about how the team got comfortable with reliance, not just confirm that a report was on the share drive. Regulators consistently flag insufficient evaluation of service organisation reports as an audit quality issue.
ISAE 3402 vs. SOC 1 and SOC 2
The terminology can be confusing. Here is the relationship:
| Framework | Standard | Focus | Report Types |
|---|---|---|---|
| ISAE 3402 | International (IAASB) | Financial reporting controls | Type 1, Type 2 |
| SOC 1 | US (AICPA, under SSAE 18) | Financial reporting controls | Type 1, Type 2 |
| SOC 2 | US (AICPA, under AT-C 205) | Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) | Type 1, Type 2 |
| SOC 3 | US (AICPA) | Trust Services Criteria (general use summary) | Single report type |
SOC 1 and ISAE 3402 are functionally equivalent. Both address financial reporting controls at service organisations. Many international service organisations obtain dual reports (ISAE 3402 for international users and SOC 1 for US users) based on a single set of procedures. SOC 2 reports (under ISAE 3000 internationally) cover broader trust services criteria and are increasingly requested for IT and cloud service providers.
European jurisdiction implementations
Netherlands
The Netherlands is one of Europe’s most active ISAE 3402 markets, driven by its concentration of pension administrators (pensioenuitvoeringsorganisaties), payroll service providers, shared service centres for multinationals, and financial services outsourcing operations. The NBA has published specific guidance on performing ISAE 3402 engagements. Dutch pension funds are required by DNB to ensure that their administrators maintain adequate internal controls, and ISAE 3402 reports are the standard mechanism for demonstrating this. Major Dutch service organisations like ADP, Visma, and pension administrators routinely obtain Type 2 reports. For user auditors of Dutch entities, evaluating ISAE 3402 reports is a core skill. The AFM has repeatedly flagged insufficient evaluation of service organisation reports in its audit quality inspection findings. Dutch practice also sees significant demand for SOC 2-type reports (under ISAE 3000) from IT service providers and cloud-based software companies.
Germany
German implementation follows IDW PS 951 (now aligned with ISAE 3402). Germany’s Rechenzentren (data centres), payroll processors (Lohnbuchhaltungsdienste), and shared service centres for the Mittelstand are frequent subjects of ISAE 3402 engagements. BaFin requires financial institutions to ensure adequate controls at outsourced service providers under MaRisk AT 9 (outsourcing requirements), and ISAE 3402 reports are a key tool for demonstrating compliance with supervisory requirements. The IDW has published extensive guidance on the interplay between banking supervisory requirements and ISAE 3402 engagements. For German group auditors dealing with shared service centres in Eastern Europe or Asia (common for German multinationals), ISAE 3402 reports are essential for establishing reliance on controls at remote processing centres. The Wirtschaftsprüfer acting as service auditor must consider both the international standard and German-specific quality management requirements.
United Kingdom
ISA (UK) 402 and ISAE (UK) 3402 align with international standards with additional UK-specific requirements. The UK has a mature ISAE 3402 market, with AAF 01/20 (Assurance Reports on Internal Controls of Service Organisations Made Available to Third Parties) serving as the ICAEW’s technical release that provides UK-specific guidance on ISAE 3402 engagements. Financial services outsourcing is heavily regulated. The PRA and FCA require firms to maintain adequate oversight of outsourced functions, and ISAE 3402 reports are a primary mechanism. The FRC has published thematic reviews on user auditors’ evaluation of service organisation reports, consistently finding room for improvement. UK-based shared service centres, fund administrators, and fintech service providers are frequent subjects of ISAE 3402 and SOC 2 reporting. The UK’s post-Brexit regulatory environment has not materially changed the demand for or approach to service organisation reporting.
France
French practice under the CNCC framework has adopted ISAE 3402 principles, with commissaires aux comptes performing service auditor engagements for French outsourcing providers, particularly in the financial services sector. The ACPR requires financial institutions to monitor controls at outsourced service providers, and ISAE 3402 reports satisfy this supervisory expectation. France’s growing fintech and regtech sector is generating increasing demand for service organisation reports. For large French groups with shared service centres (centres de services partagés) in countries like Romania, Poland, or Morocco, ISAE 3402 reports from the service auditor at the shared service centre enable the commissaire aux comptes to satisfy ISA 402 requirements without travelling to each location. The H3C oversees quality for ISAE 3402 engagements performed by French practitioners.
Relationship with other standards
- ISAE 3000: ISAE 3402 operates within the ISAE 3000 framework. Compliance with both is required.
- ISA 402: the user auditor’s standard for evaluating service organisation controls and relying on ISAE 3402 reports.
- ISA 315: the user auditor’s understanding of the entity includes understanding relevant services and controls at service organisations.
- ISA 330: the user auditor’s responses to assessed risks may include reliance on ISAE 3402 reports as audit evidence.
- ISA 620: the service auditor may use experts (e.g., IT specialists) in performing the engagement.
- ISQM 1: quality management requirements apply to the service auditor’s firm.
- IESBA Code: independence requirements apply. The service auditor must be independent of the service organisation.
If you’re starting an ISAE 3402 engagement, the ISAE 3402 Audit Workbook gives you the full file structure from scoping through to the opinion. Every tab cross-references the next, and every judgment call is prompted with the relevant paragraph reference.
ISAE 3402 Audit WorkbookProduction-ready audit templates
Related ciferi content
ISAE 3402 deep dives:
Related standards:
Put audit concepts into practice with these free tools:
Frequently asked questions
What is the difference between a Type 1 and Type 2 ISAE 3402 report?
A Type 1 report covers a specific point in time and provides an opinion on whether the service organisation's description of its system is fairly presented, whether controls are suitably designed, and whether controls have been implemented. A Type 2 report covers a specified period (typically 12 months) and provides an opinion on everything in a Type 1 report plus whether the controls operated effectively throughout the period. Type 2 reports are significantly more valuable because they demonstrate consistent application of controls over time.
What is the difference between the carve-out and inclusive methods?
The carve-out method excludes the subservice organisation's controls from the service organisation's system description and the service auditor's examination. The user auditor must separately evaluate the subservice organisation's controls. The inclusive method includes the subservice organisation's controls in the description and examination, producing a more complete report. The carve-out method is more prevalent because subservice organisations are often reluctant to open up to another auditor's testing.
What are complementary user entity controls (CUECs)?
CUECs are controls that the service organisation assumes the user entity will implement to complete the control environment. For example, a payroll processor may assume that user entities will authorise payroll changes before submitting them. If the user entity fails to implement CUECs, the combined control environment has a gap. User auditors must evaluate whether the user entity has implemented the CUECs identified in the ISAE 3402 report.
How does ISAE 3402 relate to SOC 1 and SOC 2 reports?
ISAE 3402 (international, IAASB) and SOC 1 (US, AICPA under SSAE 18) are functionally equivalent. Both address financial reporting controls at service organisations. Many international service organisations obtain dual reports. SOC 2 reports (under ISAE 3000 internationally) cover broader trust services criteria including security, availability, processing integrity, confidentiality, and privacy, and are increasingly requested for IT and cloud service providers.
Further reading and source references
- IAASB Handbook 2024: The authoritative source for the complete ISAE 3402 text.
- ISAE 3000 (Revised): The overarching framework for all non-audit assurance engagements, within which ISAE 3402 operates.
- ISA 402: The user auditor's standard for evaluating service organisation controls and relying on ISAE 3402 reports.
- ISQM 1: Quality management requirements applicable to firms performing ISAE 3402 engagements.
- IESBA Code: Independence and ethical requirements with specific provisions for assurance engagements.