ISAE 3402 vs SOC 2: Which Report Does Your Client Need?

Your client runs payroll for 60 companies across four countries. Their largest customer just asked for "a SOC 2." Two weeks later, a Dutch pension fund asked for "an ISAE 3402 report." The service organisation wants to know if one report can satisfy both. It can't, and the reasons go beyond geography.

ISAE 3402 is the IAASB's assurance standard for reporting on controls at a service organisation, used predominantly in Europe; SOC 2 is the AICPA's framework built on trust services criteria, accepted primarily in the United States. The choice between them depends on where the user organisations operate, what regulators expect, and whether the report needs to cover financial reporting controls or broader operational categories.

What each standard actually covers

ISAE 3402 (International Standard on Assurance Engagements 3402) was issued by the IAASB and applies to assurance engagements on controls at a service organisation that are relevant to user entities' financial reporting. The standard requires a service auditor to obtain sufficient appropriate evidence about the description of the system, the suitability of control design, and (for Type II) operating effectiveness over a specified period. European regulators, including the AFM in the Netherlands and BaFin in Germany, recognise ISAE 3402 reports as the accepted format when user auditors rely on controls at outsourced service providers under ISA 402.

SOC 2 is built on the AICPA's trust services criteria and covers five categories: security, availability, processing integrity, confidentiality, and privacy. Unlike ISAE 3402, SOC 2 is not limited to controls relevant to financial reporting. A SaaS provider that processes no financial data but stores personal information might need a SOC 2 report addressing the privacy and security criteria while having no reason to produce an ISAE 3402. The AICPA governs the standard and the report format. US regulators and user auditors expect SOC 2 (or SOC 1, which uses SSAE 18 and maps more closely to ISAE 3402's scope).

The distinction matters because an ISAE 3402 report cannot cover privacy or availability as standalone objectives. Those sit outside the financial reporting scope ISAE 3402 was designed for.

Structural differences that matter on an engagement

The reports diverge in four areas that affect how you plan the engagement and what the end product looks like.

Control objectives vs trust services criteria. An ISAE 3402 report is organised around control objectives that management defines in the system description. A payroll service organisation might have objectives covering accurate calculation of gross-to-net pay, timely remittance of tax withholdings, proper segregation of duties in payment processing, and accurate period-end reporting. The service auditor tests controls mapped to those objectives. SOC 2, by contrast, uses the AICPA's pre-defined trust services criteria (the "points of focus" within each category). The service organisation selects which of the five categories are in scope, but the criteria within each category are fixed.

Report distribution. ISAE 3402 reports carry a restricted-use paragraph but in practice circulate to user auditors and their clients. SOC 2 reports are restricted-use documents distributed under a non-disclosure agreement or through a controlled portal. A SOC 3 (the general-use version) exists for public distribution, but it contains no detailed control descriptions or test results.

Regulatory backing. ISAE 3402 is referenced directly by ISA 402.A21 and accepted by European national audit oversight bodies. SOC 2 has no equivalent ISA reference. When an EU-based user auditor receives a SOC 2 report, they need to evaluate whether the trust services criteria adequately cover the financial reporting controls relevant to their audit. That evaluation adds work.

Subservice organisations. Both frameworks address subservice organisations, but they use the same terminology (inclusive method and carve-out method) and the practical treatment is similar. This is one area where the two standards align closely.

Type I vs Type II under both standards

Both ISAE 3402 and SOC 2 distinguish between Type I and Type II reports, but the meaning is functionally identical across both standards.

A Type I report covers the description of the system and the suitability of control design as of a specific date. The service auditor does not test operating effectiveness. A Type II report covers a period (typically 9 to 12 months) and includes testing of whether controls operated effectively throughout that period.

User auditors relying on a Type I report have a problem. ISA 402.16 requires the user auditor to determine whether the Type I report provides sufficient appropriate evidence about the operating effectiveness of controls. In most cases, it does not. The user auditor then needs to perform additional procedures at the service organisation or at the user entity. Type I reports are common for first-year ISAE 3402 engagements where the service organisation has not yet completed a full reporting period, but they are not a long-term solution.

A common error: treating a Type II report with a period ending six months before the user entity's year-end as equivalent to full-period coverage. It is not. The gap period requires either a bridge letter or additional procedures.

Decision framework: which report does the client need?

The decision tree is shorter than most practitioners expect.

If user organisations are predominantly European (and the controls are relevant to financial reporting), the service organisation needs an ISAE 3402 report. European user auditors reference ISA 402, which points to ISAE 3402. A SOC 2 is not a substitute because it does not follow an IAASB standard and European audit oversight bodies have not adopted the AICPA framework.

If user organisations are predominantly US-based or the service organisation serves US-listed companies, the client needs a SOC 1 (SSAE 18) for financial reporting controls or a SOC 2 for operational, security, and privacy controls. Many US user auditors will not accept an ISAE 3402 report because their firms' quality management policies reference AICPA standards.

If user organisations span both markets, the service organisation faces a choice: produce two separate reports, or find an auditor willing to issue a dual report. A dual report maps the same controls to both ISAE 3402 control objectives and SOC 2 trust services criteria. This is possible when the scope overlaps (financial reporting controls that also address security and processing integrity). It is not possible when the user entities need coverage of privacy or availability criteria that fall outside ISAE 3402's financial reporting scope.

If the controls are not related to financial reporting (pure IT security, data privacy, business continuity), SOC 2 is the appropriate framework regardless of geography. ISAE 3402 does not cover these areas. Some European clients may accept an ISAE 3000 engagement as an alternative, but that requires bespoke criteria and is more expensive.

Worked example

Verhoeven Payroll Services B.V. Revenue: €28M. Processes payroll for 120 user entities across the Netherlands, Belgium, and Germany. Two US-listed subsidiaries of European parent companies recently joined as clients.

1. Identify user entity geography and regulatory requirements. Verhoeven's 118 European clients have user auditors who rely on ISA 402, which references ISAE 3402. The two US-listed subsidiaries have auditors following PCAOB standards who expect SOC 1 or SOC 2 reports. Documentation note: Record in the engagement file the user entity population by jurisdiction and the regulatory framework each user auditor follows.

2. Determine the scope of controls. Verhoeven's controls cover gross-to-net calculation accuracy, tax withholding remittance, data input validation, and system access management. All four relate to financial reporting. No user entity has requested privacy or availability coverage. Documentation note: Map each control objective to the financial reporting assertion it supports. Confirm no trust services criteria outside ISAE 3402's scope are needed.

3. Evaluate the dual-report option. Because all requested controls fall within financial reporting, a dual ISAE 3402 / SOC 1 report is feasible. Verhoeven's auditor (a mid-tier firm with both IAASB and AICPA licences) can issue a single engagement covering both standards. The incremental cost over a standalone ISAE 3402 is roughly 15-20% for the additional SOC 1 mapping and AICPA formatting. Documentation note: Record the cost-benefit analysis and the decision rationale. If the firm cannot issue both, document why a second engagement is needed.

4. Set the reporting period. Verhoeven's financial year ends 31 December. The Type II report should cover 1 January to 31 December to avoid gap-period issues for user auditors. Documentation note: Confirm the reporting period aligns with the majority of user entities' financial year-ends. If it does not, document the bridge letter requirements per ISA 402.12.

The result: Verhoeven issues a dual ISAE 3402 / SOC 1 Type II report, covering the full calendar year and satisfying both European and US user auditor requirements with a single engagement.

Practical checklist

1. Identify every user entity's jurisdiction and the assurance standard their auditor follows (ISA 402 for Europe, SSAE 18 for the US) before scoping the engagement.
2. Determine whether requested controls fall within financial reporting (ISAE 3402 / SOC 1 territory) or extend to security, privacy, or availability (SOC 2 territory).
3. For service organisations serving both markets, evaluate whether a dual report is feasible or whether separate engagements are required. Document the decision.
4. Confirm the reporting period covers user entities' financial year-ends. A Type II report ending six months before the user entity's year-end creates a gap that requires additional procedures.
5. When a European user auditor receives a SOC 2 instead of an ISAE 3402, document the evaluation of whether the trust services criteria cover the relevant financial reporting controls (ISA 402.A21 does not assume they do).

Related content

• ISAE 3402 glossary entry. Definitions of key terms including control objectives, Type I, Type II, and the carve-out vs inclusive method for subservice organisations.
• ISAE 3402 working paper pack. Pre-built control matrix, testing protocol, gap analysis, and CUEC register for ISAE 3402 engagements.
• FUTURE POST: How to evaluate a service organisation report: the ISA 402 user auditor checklist. The user auditor's side of the equation: how to read and rely on the reports this post describes.