Key Takeaways
- ISAE 3402 is the infrastructure standard of the outsourcing economy — it makes trust possible between entities that outsource critical functions and the auditors who must verify financial reporting integrity.
- The Type 1/Type 2 distinction, the carve-out/inclusive method for subservice organisations, and the concept of complementary user entity controls are the three pillars practitioners must master.
- For European firms, ISAE 3402 engagements represent a significant and growing revenue stream on the service auditor side, while proper evaluation of ISAE 3402 reports is a core audit quality expectation on the user auditor side.
- The standard's relevance will only increase as outsourcing, cloud migration, and platform-based service delivery continue to expand across European markets.
Why ISAE 3402 Matters
Modern businesses outsource critical functions. Payroll processing, pension administration, IT hosting, fund accounting, payment processing, document management — these services are performed by specialised organisations on behalf of client entities. When an entity outsources a function that affects its financial reporting, the entity's auditor faces a challenge: the internal controls over that function sit inside another organisation entirely. ISAE 3402 solves this by providing a framework for a service auditor to examine and report on those controls, producing a report that user entities and their auditors can rely on.
For European audit firms, ISAE 3402 creates opportunity on both sides of the engagement. As a service auditor, the firm performs the ISAE 3402 examination and issues the report — a recurring, high-value engagement. As a user auditor, the firm relies on ISAE 3402 reports obtained by its audit clients, avoiding the need to perform audit procedures directly at the service organisation. Understanding both roles is essential. The Netherlands, with its concentration of shared service centres, pension administrators, and financial services outsourcing, is one of the most active ISAE 3402 markets in Europe.
Scope and Key Definitions
ISAE 3402, issued in December 2009 and effective from 15 June 2011, provides requirements for reasonable assurance engagements to report on controls at a service organisation. It operates within the ISAE 3000 framework — compliance with both ISAE 3000 and ISAE 3402 is required.
Key parties:
| Party | Role |
|---|---|
| Service organisation | The entity that provides services to user entities (e.g., a payroll processor, pension administrator, IT hosting provider) |
| User entity | The entity that uses the service organisation's services (e.g., the company that outsources its payroll) |
| Service auditor | The practitioner who examines and reports on the service organisation's controls |
| User auditor | The auditor of the user entity's financial statements, who relies on the ISAE 3402 report |
| Subservice organisation | A service organisation used by the primary service organisation (e.g., a cloud provider used by the payroll processor) |
Scope limitation: ISAE 3402 focuses specifically on controls that are likely to be relevant to user entities' internal control as it relates to financial reporting. Controls related purely to the service organisation's operational efficiency, data privacy (in isolation from financial reporting), or regulatory compliance fall outside ISAE 3402's scope unless they also affect user entities' financial reporting controls. Engagements covering non-financial controls (such as security, availability, or processing integrity) are typically performed under ISAE 3000 as SOC 2-type engagements.
Type 1 vs. Type 2 Reports
ISAE 3402 defines two report types, and the distinction is fundamental:
Type 1 Report — Design and Implementation
A Type 1 report covers a specific point in time and provides an opinion on:
- Whether the service organisation's description of its system is fairly presented
- Whether the controls are suitably designed to achieve the stated control objectives
- Whether the controls have been implemented (i.e., they exist and the organisation has put them into operation)
A Type 1 report does not test whether controls operated effectively over time. It is a snapshot — were the controls properly designed and in place on the specified date?
When Type 1 is appropriate: First-time ISAE 3402 engagements (as a stepping stone to Type 2), new service organisations, or when user entities need initial assurance on control design before committing to a service arrangement.
Type 2 Report — Design, Implementation, and Operating Effectiveness
A Type 2 report covers a specified period (typically 12 months, aligned with the user entities' financial reporting periods) and provides an opinion on everything in a Type 1 report plus:
- Whether the controls operated effectively throughout the specified period
The service auditor tests controls over the entire period — not just at a point in time. This is what makes Type 2 reports significantly more valuable: they demonstrate that controls were not just designed well but were consistently applied.
When Type 2 is appropriate: Established service organisations where user auditors need to rely on controls operating effectively throughout the audit period. Most sophisticated user entities and their auditors require Type 2 reports.
Period Coverage Matters
If a Type 2 report covers 1 January to 30 September but the user entity's financial year runs to 31 December, the user auditor must consider the gap. The user auditor may need to perform additional procedures for the uncovered period (October to December) or obtain a "bridge letter" from the service organisation confirming no significant changes in controls during the gap period.
The System Description
The service organisation prepares a description of its system, which forms the subject matter of the engagement. The description must include, as appropriate:
| Element | Content |
|---|---|
| Types of services provided | What the service organisation does for user entities |
| Classes of transactions | Transaction types processed (e.g., payroll transactions, investment transactions, payment processing) |
| Related records and accounts | How transactions flow through the system and affect financial records |
| Processes and procedures | How services are delivered, including IT systems |
| Controls | Specific controls relevant to the control objectives |
| Control objectives | What each control is designed to achieve |
| Complementary user entity controls | Controls that the service organisation assumes user entities will implement |
| Subservice organisations | Services provided by third parties and how they are handled (carve-out or inclusive method) |
The description must be fairly presented — it must be accurate, complete, and not misleading. The service auditor evaluates whether the description fairly presents the system as designed and implemented (Type 1) or as designed, implemented, and operating throughout the period (Type 2).
Subservice Organisations — Carve-Out vs. Inclusive Method
When a service organisation itself uses another service organisation (a subservice organisation), two methods handle this in the report:
Carve-Out Method
The subservice organisation's controls are excluded from the service organisation's system description and the service auditor's examination. The description identifies the nature of the services performed by the subservice organisation and states that its controls have been carved out. The user auditor must separately evaluate the subservice organisation's controls (by obtaining a separate ISAE 3402 report from the subservice organisation or performing procedures directly).
Inclusive Method
The subservice organisation's controls are included in the service organisation's system description and the service auditor's examination. The service auditor tests the subservice organisation's controls as part of the engagement. This produces a more comprehensive report for user auditors, who can rely on the single report for both the service organisation and the subservice organisation.
| Factor | Carve-Out | Inclusive |
|---|---|---|
| Description scope | Excludes subservice org | Includes subservice org |
| Testing scope | Service org controls only | Both service and subservice org controls |
| User auditor burden | Must separately evaluate subservice org | Can rely on combined report |
| Practical complexity | Simpler for service auditor | Requires cooperation/access to subservice org |
| Common usage | More prevalent (subservice orgs often reluctant to open up) | Used when subservice org cooperates |
Cloud Providers
The carve-out method is almost universal for major cloud infrastructure providers (AWS, Azure, Google Cloud). These providers issue their own ISAE 3402 or SOC 1 reports separately, and the service organisation using their infrastructure carves them out. User auditors then evaluate two reports: the service organisation's and the cloud provider's.
Complementary User Entity Controls (CUECs)
ISAE 3402 recognises that the service organisation's controls alone may not be sufficient. The system description identifies controls that the user entity is expected to implement. These are called complementary user entity controls.
Example: A payroll processing service organisation assumes that user entities will authorise payroll changes before submitting them for processing. The service organisation processes what it receives — but the control over authorisation sits with the user entity.
CUECs are critical for user auditors. If the service organisation's controls are designed on the assumption that the user entity performs certain controls, and the user entity fails to implement those controls, the combined control environment has a gap. The user auditor must evaluate whether the user entity has implemented the CUECs identified in the ISAE 3402 report.
The Service Auditor's Procedures
For Type 1 Reports
- Obtain the service organisation's description of its system
- Evaluate whether the description is fairly presented
- Evaluate whether controls are suitably designed to achieve control objectives
- Test that controls have been implemented (placed in operation) at the specified date
- Obtain written representations from management
- Form an opinion and issue the report
For Type 2 Reports
All Type 1 procedures plus:
- Design and perform tests of controls to evaluate operating effectiveness over the period
- When sampling is used, determine appropriate sample sizes considering the nature of controls, frequency of performance, expected deviation rate, and desired confidence level
- Evaluate the results of testing, including any deviations (control exceptions)
- If using internal audit work, evaluate the objectivity and competence of internal auditors and reperform selected procedures
Dealing with Exceptions
When tests of controls reveal deviations (exceptions), the service auditor must:
- Determine the nature, cause, and significance of the deviation
- Evaluate whether the deviation represents a design deficiency, implementation failure, or operating effectiveness failure
- Consider whether the deviation affects the opinion (individually or in combination with other deviations)
- Describe the exception in the report — Type 2 reports must include a description of the tests of controls and their results, including any exceptions identified
User auditors then evaluate the significance of reported exceptions for their specific audit clients.
The Service Auditor's Report
Type 1 Report Opinion Covers:
(a) The description is fairly presented as at [date]
(b) Controls related to the control objectives are suitably designed
(c) Controls were implemented as at [date]
Type 2 Report Opinion Covers:
(a) The description is fairly presented throughout the period [date to date]
(b) Controls related to the control objectives are suitably designed throughout the period
(c) Controls operated effectively throughout the period to provide reasonable assurance that control objectives were achieved
Report Attachments
The report includes:
- The system description prepared by the service organisation (management's description)
- Management's assertion — a written statement from the service organisation's management asserting the description is fairly presented and controls are suitably designed (and, for Type 2, operated effectively)
- The service auditor's report — the opinion plus description of procedures
For Type 2 reports specifically, the report must include:
- A description of the tests of controls performed by the service auditor
- The results of those tests, including exceptions identified
This detail is essential — user auditors need to understand what was tested, how it was tested, and what was found in order to evaluate whether they can rely on the controls for their own audit purposes.
Modified Opinions
The service auditor may issue a qualified or adverse opinion when:
- The description is not fairly presented in some material respect
- Controls are not suitably designed to achieve a stated control objective
- Controls did not operate effectively throughout the specified period (Type 2)
A disclaimer may be issued when a scope limitation prevents the service auditor from obtaining sufficient appropriate evidence.
The User Auditor's Perspective — ISA 402
On the other side of the equation, ISA 402 (Audit Considerations Relating to an Entity Using a Service Organisation) guides user auditors in evaluating and relying on ISAE 3402 reports. The user auditor must:
- Obtain an understanding of the nature and significance of services provided and their effect on the user entity's internal control
- Obtain sufficient appropriate evidence about controls at the service organisation — typically by reading the ISAE 3402 report
- Evaluate the report: Is it from a competent, independent service auditor? Does it cover the relevant period? Does the opinion support reliance? What exceptions were identified?
- Evaluate CUECs — has the user entity implemented the complementary controls the service organisation assumes?
- Consider the effect of subservice organisations (especially if carved out)
Don't Just File the Report
A common audit quality failing is treating the ISAE 3402 report as a "tick box" — obtaining it, filing it, and moving on. The user auditor must actively read the report, evaluate the relevance of control objectives to their audit, assess exceptions, consider the period covered, and evaluate CUECs at the user entity. Regulators consistently flag insufficient evaluation of service organisation reports as an audit quality issue.
ISAE 3402 vs. SOC 1 and SOC 2
The terminology can be confusing. Here is the relationship:
| Framework | Standard | Focus | Report Types |
|---|---|---|---|
| ISAE 3402 | International (IAASB) | Financial reporting controls | Type 1, Type 2 |
| SOC 1 | US (AICPA, under SSAE 18) | Financial reporting controls | Type 1, Type 2 |
| SOC 2 | US (AICPA, under AT-C 205) | Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) | Type 1, Type 2 |
| SOC 3 | US (AICPA) | Trust Services Criteria (general use summary) | Single report type |
SOC 1 and ISAE 3402 are functionally equivalent — both address financial reporting controls at service organisations. Many international service organisations obtain dual reports (ISAE 3402 for international users and SOC 1 for US users) based on a single set of procedures. SOC 2 reports (under ISAE 3000 internationally) cover broader trust services criteria and are increasingly requested for IT and cloud service providers.
European Jurisdiction Implementations
Netherlands
The Netherlands is one of Europe's most active ISAE 3402 markets, driven by its concentration of pension administrators (pensioenuitvoeringsorganisaties), payroll service providers, shared service centres for multinationals, and financial services outsourcing operations. The NBA has published specific guidance on performing ISAE 3402 engagements. Dutch pension funds are required by DNB to ensure that their administrators maintain adequate internal controls, and ISAE 3402 reports are the standard mechanism for demonstrating this. Major Dutch service organisations like ADP, Visma, and pension administrators routinely obtain Type 2 reports. For user auditors of Dutch entities, evaluating ISAE 3402 reports is a core skill — the AFM has repeatedly flagged insufficient evaluation of service organisation reports in its audit quality inspection findings. Dutch practice also sees significant demand for SOC 2-type reports (under ISAE 3000) from IT service providers and cloud-based software companies.
Germany
German implementation follows IDW PS 951 (now aligned with ISAE 3402). Germany's Rechenzentren (data centres), payroll processors (Lohnbuchhaltungsdienste), and shared service centres for the Mittelstand are frequent subjects of ISAE 3402 engagements. BaFin requires financial institutions to ensure adequate controls at outsourced service providers under MaRisk AT 9 (outsourcing requirements), and ISAE 3402 reports are a key tool for demonstrating compliance with supervisory requirements. The IDW has published extensive guidance on the interplay between banking supervisory requirements and ISAE 3402 engagements. For German group auditors dealing with shared service centres in Eastern Europe or Asia (common for German multinationals), ISAE 3402 reports are essential for establishing reliance on controls at remote processing centres. The Wirtschaftsprüfer acting as service auditor must consider both the international standard and German-specific quality management requirements.
United Kingdom
ISA (UK) 402 and ISAE (UK) 3402 align with international standards with additional UK-specific requirements. The UK has a mature ISAE 3402 market, with AAF 01/20 (Assurance Reports on Internal Controls of Service Organisations Made Available to Third Parties) serving as the ICAEW's technical release that provides UK-specific guidance on ISAE 3402 engagements. Financial services outsourcing is heavily regulated — the PRA and FCA require firms to maintain adequate oversight of outsourced functions, and ISAE 3402 reports are a primary mechanism. The FRC has published thematic reviews on user auditors' evaluation of service organisation reports, consistently finding room for improvement. UK-based shared service centres, fund administrators, and fintech service providers are frequent subjects of ISAE 3402 and SOC 2 reporting. The UK's post-Brexit regulatory environment has not materially changed the demand for or approach to service organisation reporting.
France
French practice under the CNCC framework has adopted ISAE 3402 principles, with commissaires aux comptes performing service auditor engagements for French outsourcing providers, particularly in the financial services sector. The ACPR requires financial institutions to monitor controls at outsourced service providers, and ISAE 3402 reports satisfy this supervisory expectation. France's growing fintech and regtech sector is generating increasing demand for service organisation reports. For large French groups with shared service centres (centres de services partagés) in countries like Romania, Poland, or Morocco, ISAE 3402 reports from the service auditor at the shared service centre enable the commissaire aux comptes to satisfy ISA 402 requirements without travelling to each location. The H3C oversees quality for ISAE 3402 engagements performed by French practitioners.
Relationship with Other Standards
- ISAE 3000 — ISAE 3402 operates within the ISAE 3000 framework; compliance with both is required
- ISA 402 — The user auditor's standard for evaluating service organisation controls and relying on ISAE 3402 reports
- ISA 315 — The user auditor's understanding of the entity includes understanding relevant services and controls at service organisations
- ISA 330 — The user auditor's responses to assessed risks may include reliance on ISAE 3402 reports as audit evidence
- ISA 620 — The service auditor may use experts (e.g., IT specialists) in performing the engagement
- ISQM 1 — Quality management requirements apply to the service auditor's firm
- IESBA Code — Independence requirements apply; the service auditor must be independent of the service organisation
Related Ciferi Content
Continue building your understanding of service organisation controls and assurance:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
What is the difference between a Type 1 and Type 2 ISAE 3402 report?
A Type 1 report covers a specific point in time and provides an opinion on whether the service organisation's description of its system is fairly presented, whether controls are suitably designed, and whether controls have been implemented. A Type 2 report covers a specified period (typically 12 months) and provides an opinion on everything in a Type 1 report plus whether the controls operated effectively throughout the period. Type 2 reports are significantly more valuable because they demonstrate consistent application of controls over time.
What is the difference between the carve-out and inclusive methods?
The carve-out method excludes the subservice organisation's controls from the service organisation's system description and the service auditor's examination. The user auditor must separately evaluate the subservice organisation's controls. The inclusive method includes the subservice organisation's controls in the description and examination, producing a more comprehensive report. The carve-out method is more prevalent because subservice organisations are often reluctant to open up to another auditor's testing.
What are complementary user entity controls (CUECs)?
CUECs are controls that the service organisation assumes the user entity will implement to complete the control environment. For example, a payroll processor may assume that user entities will authorise payroll changes before submitting them. If the user entity fails to implement CUECs, the combined control environment has a gap. User auditors must evaluate whether the user entity has implemented the CUECs identified in the ISAE 3402 report.
How does ISAE 3402 relate to SOC 1 and SOC 2 reports?
ISAE 3402 (international, IAASB) and SOC 1 (US, AICPA under SSAE 18) are functionally equivalent — both address financial reporting controls at service organisations. Many international service organisations obtain dual reports. SOC 2 reports (under ISAE 3000 internationally) cover broader trust services criteria including security, availability, processing integrity, confidentiality, and privacy, and are increasingly requested for IT and cloud service providers.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISAE 3402 text.
- ISAE 3000 (Revised) — The overarching framework for all non-audit assurance engagements, within which ISAE 3402 operates.
- ISA 402 — The user auditor's standard for evaluating service organisation controls and relying on ISAE 3402 reports.
- ISQM 1 — Quality management requirements applicable to firms performing ISAE 3402 engagements.
- IESBA Code — Independence and ethical requirements with specific provisions for assurance engagements.