ISAE 3402 testing: why your sampling paragraph references are probably wrong

Pull up the last ISAE 3402 testing file you reviewed. Find the paragraph reference for sampling methodology. If it says A47 through A54, your file cites modified opinion guidance as the basis for your sample sizes. Those paragraphs have nothing to do with sampling.

The correct ISAE 3402 sampling references are paragraphs 24 to 29 (requirements) and A28 to A36 (application material), supplemented by ISA 530 applied by analogy through ISAE 3000. Paragraphs A47 to A54 address when and how to modify the service auditor's opinion, not how to determine sample sizes or select items for testing.

The paragraph confusion: where it comes from

ISAE 3402 is not a long standard. The requirements section runs from paragraph 1 to approximately paragraph 60. The application material runs from A1 to approximately A60. Despite this compact structure, most practitioners cannot locate the sampling paragraphs without searching. The reason is that ISAE 3402 does not contain a standalone sampling section. Sampling requirements are embedded within the broader testing requirements at paragraphs 24 to 29.

Paragraphs A47 to A54 sit in the application material under the section addressing the service auditor's report. They cover the conditions for qualified and adverse opinions: what constitutes a sufficiently serious deviation or scope limitation to trigger opinion modification. Because these paragraphs discuss deviations and their consequences, practitioners reading them encounter language about testing results and significance thresholds. It sounds like sampling guidance. It is not.

The confusion is self-reinforcing. A senior writes the testing protocol citing A47-A54 because a prior-year file cited A47-A54. The manager reviews against the prior-year file and sees consistency. Nobody checks the actual paragraphs because the reference has become institutional. Three years later, the firm's entire ISAE 3402 methodology references the wrong paragraphs.

This matters because paragraph 24 contains a requirement that A47-A54 does not: testing must cover "throughout the specified period." A firm citing only A47-A54 may not be aware of this requirement and may cluster all sample items in one quarter.

What paragraphs 24 to 29 actually require

Paragraph 24 establishes the testing period. The service auditor must test controls throughout the period specified in the service organisation's description. Not a snapshot. Not the last quarter. Throughout. This is the paragraph that prohibits clustered sampling (all sample items from October through December in a twelve-month engagement).

Paragraph 25 addresses the nature of testing procedures. The requirement at 25(a) is categorical: inquiry alone is not sufficient as evidence that a control operated effectively. Every test must combine inquiry with at least one other procedure (inspection, observation, or reperformance). This is the most common AFM deficiency finding on ISAE 3402 engagements.

Paragraphs 26 and 27 address the extent of testing, including how the service auditor determines sample sizes. These paragraphs direct the auditor to consider the nature and frequency of the control, the expected and tolerable deviation rates, and the risk assessment. The application material at A28 to A36 provides the additional guidance on how to apply ISA 530 concepts by analogy.

Paragraph 28 covers what to do when deviations are identified during testing. Paragraph 29 addresses the implications for the service auditor's report.

The application material at A28 through A36 addresses selection methods, population completeness, the distinction between statistical and non-statistical approaches, and how to evaluate sample results. This is the material that corresponds to ISA 530's sampling framework. It lives here, not at A47.

The mandatory planning block: deviation criteria defined before fieldwork

The testing protocol in the ISAE 3402 template pack opens each test procedure with a planning block that must be completed before fieldwork begins. The most critical field in this block is the deviation definition.

ISAE 3402.A27 (and ISA 530 by analogy) requires that deviation criteria be established before testing. The purpose is to prevent post-hoc judgment: the tester should know what constitutes a deviation before looking at a single sample item. If deviation criteria are defined after testing, the criteria will (consciously or not) be shaped by the results observed. This is the same principle that drives the pre-registration of hypotheses in scientific research, applied to audit testing.

A deviation definition for a monthly payroll variance review might read: "DEVIATION = any of: (a) checklist not completed by the 15th of the following month, (b) signed by a person other than the Payroll Manager or designated backup, (c) variance exceeding 5% with no documented investigation, (d) investigation notes missing for any flagged department." Each condition is specific, observable, and binary. The tester either finds it or does not.

Without pre-defined criteria, the tester encounters a late review and must decide in the moment whether "three days late" is a deviation. That judgment call, made during fieldwork, is exactly what the standard seeks to eliminate.

The planning block also requires the tester to document: the control frequency, population size, confidence level (90% or 95%), tolerable deviation rate (typically 5% to 10%), the resulting sample size, and the selection method. All of this is set before the tester touches a single sample item.

Sample sizes by frequency and risk level

The testing protocol embeds a sample size quick reference based on ISA 530, assuming zero expected deviations. The reference table covers the most common control frequencies.

For annual controls, the sample size is 1 (the single occurrence). For semi-annual controls, 1 to 2 occurrences. For quarterly controls, the standard sample is 2 but increases to all 4 occurrences (100%) for high-risk or key controls. For monthly controls, the standard sample is 3 to 4, increasing to 4 to 5 for high-risk controls. For weekly controls, 5 to 9 at standard risk, 9 to 15 for high risk. For daily controls, 20 to 25 at standard risk, 25 to 40 for high risk.

These are baselines, not ceilings. Three factors increase sample sizes beyond the baseline.

First, risk level. A high combined risk assessment (from the risk assessment tab) increases the sample above standard. The risk drives the confidence level: 90% confidence requires smaller samples than 95%.

Second, key control classification. Key controls carry higher samples than non-key controls at the same frequency. The rationale is that failure of a key control has a direct, unmitigated impact on the control objective.

Third, prior-year deviations. If the same control had deviations in the prior period, the current-period sample should increase even if the control has been remediated. The prior deviation creates a higher baseline expectation of error.

The quick reference is not a substitute for judgment. But it prevents the opposite problem: arbitrary sample sizes with no documented basis. An inspector who sees "sample size: 3" for a monthly control wants to know why 3. The reference table provides the "why."

Five critical junior errors in ISAE 3402 testing

The testing protocol flags five errors that account for the majority of review comments on ISAE 3402 testing working papers. These are drawn from AFM and PCAOB inspection findings.

Clustered sampling is the first. All sample items come from one period (typically the last quarter) rather than spread across the full engagement period. ISAE 3402.24 requires testing throughout the specified period. Selecting all 5 monthly payroll reviews from August through December in a twelve-month engagement violates this requirement.

Inquiry alone is the second. A test procedure that consists entirely of "discussed with management who confirmed the control operates" fails ISAE 3402.25(a). Inquiry must be combined with inspection, observation, or reperformance.

Undefined deviation criteria is the third. The tester begins fieldwork without documenting what constitutes a deviation. When results come in, the criteria are defined to fit the results. This is a planning failure, not a testing failure. Pre-defined criteria eliminate the problem.

Untested IPE is the fourth. The tester relies on a system-generated report (a user access listing, a payroll register, an exception report) without testing whether the report is complete and accurate. The PCAOB's 2024 Staff Alert specifically flagged this as requiring both completeness and accuracy testing.

Confusing design with operating effectiveness is the fifth. A control "exists" in the process documentation. The tester confirms it exists and concludes it is effective. But existence is a design question (does the control exist and is it capable of achieving the objective?). Operating effectiveness is a separate question (did the control actually operate consistently throughout the period?). ISAE 3402.A29 draws this distinction. A control that exists but was not performed in three of twelve months has a design that works and an operating effectiveness that does not.

Worked example: Müller IT-Dienste GmbH

Entity: Müller IT-Dienste GmbH, a German IT managed services provider with €52M revenue, hosting financial applications for 87 client entities. Type II engagement covering 1 January to 31 December 2025. The change management control: Change Advisory Board (CAB) reviews and approves all changes to production systems before deployment. Frequency: weekly (52 occurrences per year). Classification: key control, high risk.

1. The tester opens the testing protocol and completes the planning block for the change management control. Frequency: weekly. Population: 52 CAB meetings in the period. Confidence level: 95% (high risk, key control). Tolerable deviation rate: 5%. Sample size: 9 to 15 per the quick reference for weekly high-risk controls. The tester selects 12, spread across all twelve months (one per month). Selection method: systematic with a random start. Documentation note: planning block completed and signed before fieldwork. Deviation criteria pre-defined as documented in the next step.

2. The tester defines deviation criteria before selecting any sample items. "DEVIATION = any of: (a) CAB meeting minutes not available for the sampled week, (b) change deployed to production before CAB approval documented, (c) CAB approval signed by unauthorised person, (d) no test evidence or rollback plan documented for the approved change, (e) emergency change without retrospective CAB ratification within five business days." Documentation note: five specific conditions listed in the deviation definition column. Each is observable, binary, and measurable.

3. The tester selects 12 CAB meetings spread across the year: one from each calendar month. For each, the tester inspects the meeting minutes, verifies approval signatures, checks deployment dates against approval dates, and confirms test evidence is attached. IPE flag: Y (CAB minutes generated by the ITSM system). IPE testing: completeness verified by reconciling ITSM change log count to minutes; accuracy verified by reperforming two approval sequences. Documentation note: 12 sample items documented with specific dates and ITSM ticket numbers sufficient for a reviewer to locate and re-inspect each item.

4. Results: 0 deviations across all 12 sampled meetings. Two emergency changes were identified during the period; both received retrospective CAB ratification within three business days (within the five-day threshold). Observed deviation rate: 0%. TDR: 5%. TDR not breached. Documentation note: conclusion recorded as "EFFECTIVE. 0 deviations across 12 sampled CAB meetings. Emergency changes ratified within policy threshold. IPE confirmed. No gap analysis entry required."

5. The tester confirms the paragraph reference in the working paper header: "Sampling: ISAE 3402 Para. 24-29, A28-A36. ISA 530 applied by analogy via ISAE 3000." Documentation note: prior-year file referenced A47-A54. Current-year file corrected. Change noted in the methodology section with brief explanation.

A reviewer reading this test can trace the chain: pre-defined deviation criteria, documented sample size basis, spread across the period, IPE tested, correct paragraph references. No ambiguity.

Practical checklist for ISAE 3402 testing

1. Verify your paragraph references before fieldwork. Sampling guidance is at ISAE 3402 paragraphs 24 to 29 and A28 to A36 (supplemented by ISA 530 via ISAE 3000). If your methodology or working paper header cites A47 to A54, correct it. Those paragraphs address modified opinions.

2. Complete the planning block for every test procedure before selecting any sample items. The planning block must include: deviation criteria, population, confidence level, tolerable deviation rate, sample size, and selection method (ISAE 3402.A27).

3. Spread sample items across the full engagement period. Do not cluster in the final quarter. ISAE 3402.24 requires testing "throughout the specified period."

4. For every test, combine inquiry with at least one other procedure: inspection, observation, or reperformance. Inquiry alone never satisfies ISAE 3402.25(a).

5. Flag all IPE at the planning stage and test completeness and accuracy before relying on the reports as audit evidence. Do not treat system-generated reports as inherently reliable.

6. Check prior-year deviations for each control. If deviations existed, increase the sample size even if the control has been remediated.

Common mistakes

• Citing ISAE 3402 paragraphs A47-A54 as the basis for sampling methodology. These paragraphs govern opinion modification, not testing extent. The correct references are paragraphs 24-29 (requirements) and A28-A36 (application material).

• Defining deviation criteria after testing is complete. The PCAOB's inspection findings have flagged files where the deviation definition matched the results exactly, suggesting post-hoc definition. Pre-defined criteria eliminate this risk.

• Testing only the most recent quarter in a twelve-month engagement. ISAE 3402.24 requires coverage throughout the specified period. A sample drawn entirely from Q4 does not satisfy this requirement regardless of sample size.

Related content

• ISA 530 glossary entry. Explains the sampling framework that ISAE 3402 applies by analogy, including tolerable deviation rate and expected deviation rate concepts.
• ISAE 3402 template pack. Contains the testing protocol with pre-defined planning blocks, embedded sample size quick reference, and the five critical junior errors checklist.
• ISAE 3402 gap analysis: from deviation to opinion in four worked examples. Explains what happens when testing identifies deviations and how they flow into the gap analysis.