SOC 1 vs ISAE 3402: Key Differences for European Auditors

A Dutch payroll provider processes salaries for 340 companies. Two of its clients are US-listed. Fourteen are Dutch. US-listed clients want a SOC 1 report. Dutch clients want an ISAE 3402 report. The provider’s management asks whether one report can satisfy both groups. The answer: it depends on what’s in the report and which regulatory framework governs the user auditors relying on it.

SOC 1 is an attestation engagement under SSAE 18 (AT-C 320), issued by the AICPA, governing reports on controls at a service organisation relevant to user entities’ financial reporting. ISAE 3402 is the equivalent international standard issued by the IAASB, with the same objective but different procedural requirements, report formats, and regulatory acceptance.

Key takeaways

The structural and procedural differences between SOC 1 and ISAE 3402 that affect which report your client’s user auditor will accept
When a single ISAE 3402 report can substitute for a SOC 1, and when it cannot
How to evaluate a service organisation report received from a client and determine whether it meets ISA 402 ’s requirements for your file
What goes wrong when user auditors assume the two reports are interchangeable without checking the specific engagement terms

What problem do both standards solve?

When an entity outsources a process that affects its financial reporting (payroll, fund administration, IT hosting, claims processing), the entity’s auditor still needs assurance over the controls operating at the service organisation. ISA 402.2 makes this the user auditor’s responsibility: you must obtain sufficient appropriate audit evidence about the service organisation’s controls if those controls are relevant to the user entity’s financial statements.

Both SOC 1 and ISAE 3402 exist to provide that evidence in a standardised format. A service auditor examines the service organisation’s controls and issues a report that user auditors can rely on. The reports come in two types under both frameworks. A Type 1 report covers the design of controls at a point in time. A Type 2 report covers both design and operating effectiveness over a period, typically 12 months. For audit reliance purposes, Type 2 is what user auditors need in almost every case, because ISA 402.15 requires evidence that controls operated effectively during the period under audit, not just that they existed at a single date.

The two standards are close cousins. ISAE 3402 was developed with deliberate alignment to the predecessor of SOC 1 (SAS 70), and the IAASB maintained that alignment when SAS 70 was replaced by SSAE 16 and later by SSAE 18. The control objectives, the Type 1/Type 2 distinction, the structure of the service auditor’s report, and the requirement for management’s description of the system are all conceptually identical. The differences are in the details, and those details matter when a user auditor in one jurisdiction receives a report issued under the other jurisdiction’s standard.

Where the standards diverge

The differences between SOC 1 and ISAE 3402 fall into four categories, each with practical consequences for the user auditor evaluating the report.

Governing body and regulatory acceptance. SOC 1 operates under AICPA standards (SSAE 18, specifically AT-C 320). ISAE 3402 operates under IAASB standards. A user auditor in the Netherlands conducting an audit under Dutch law and ISA (the international standards as adopted by the NBA) can rely on an ISAE 3402 report without additional justification. Relying on a SOC 1 report requires the user auditor to evaluate whether the SOC 1 engagement was performed to a standard that is at least equivalent to ISAE 3402, because the Dutch regulatory framework references international standards, not AICPA standards. ISA 402.12 requires the user auditor to evaluate the professional competence of the service auditor and the standards under which the report was issued. If the service auditor performed the engagement under SSAE 18 but the user auditor’s framework expects ISAE 3402, that evaluation must be documented.

In practice, most European user auditors accept SOC 1 reports from US-based service organisations because the standards are substantively equivalent. But “substantively equivalent” is a judgment the user auditor must make and document on the file, not an assumption.

Report content and complementary user entity controls (CUECs). Both standards require the service organisation’s description to identify complementary user entity controls, which are the controls that user entities must have in place for the overall control objectives to be achieved. Under ISAE 3402.Appendix 2, these CUECs are included in the system description and the service auditor’s opinion covers whether the description fairly presents the system (including the CUECs). SOC 1 under AT-C 320 follows the same structure.

The difference is in how user auditors treat CUECs in practice. European user auditors working under ISA 402.15 and ISA 402.16 must evaluate whether the user entity has implemented the CUECs identified in the report. This evaluation is a required audit procedure, not a box-tick. If the ISAE 3402 report states that the control objective for payroll accuracy assumes the user entity reconciles payroll reports to the general ledger monthly, and the user entity doesn’t perform that reconciliation, the user auditor cannot rely on the service organisation’s controls for that objective.

SOC 1 reports in the US market often include a more granular list of CUECs because the user auditor population is larger and more diverse. For a European user auditor receiving a SOC 1, the CUEC section is usually the most practically useful part of the report for planning the audit approach.

Inclusive method vs. carve-out method for subservice organisations. Both standards address subservice organisations (a service organisation used by the primary service organisation). Under both frameworks, the report can either include the subservice organisation’s controls (the inclusive method) or exclude them and identify the subservice organisation as a carve-out.

The practical difference is that SOC 1 reports from US service organisations more frequently use the carve-out method, particularly for cloud hosting providers (AWS, Azure, Google Cloud). This means the SOC 1 report excludes the cloud provider’s controls, and the user auditor must separately evaluate whether those controls are relevant and whether a separate report on the subservice organisation is needed. European ISAE 3402 reports use the carve-out method at similar rates, but the conversation about subservice organisations is often less familiar to smaller European audit firms that encounter SOC 1 reports for the first time.

Service auditor’s opinion wording. The opinion paragraph differs between the two standards. Under ISAE 3402.49, the service auditor opines that the description fairly presents the system, the controls were suitably designed, and (for Type 2) the controls operated effectively throughout the period. Under SOC 1 (AT-C 320.35), the opinion language is similar but uses AICPA-specific terminology. A European user auditor reading a SOC 1 opinion needs to map the AICPA terminology to the ISAE 3402 equivalents to determine whether the opinion scope covers the same ground. In nearly all cases, it does. But the user auditor should not assume equivalence without reading the opinion paragraph in full.

When can one report satisfy both requirements?

Service organisations with both European and US clients often prefer to issue a single report rather than commissioning two separate engagements. ISAE 3402 is the more common choice for the single-report approach, because ISAE 3402 is an international standard and most US user auditors will accept an ISAE 3402 report from a non-US service organisation. The reverse is less reliable: a European user auditor receiving a SOC 1 report must document the equivalence assessment, which adds work to the file.

A single ISAE 3402 report works when the service organisation’s user base is primarily international or mixed. A single SOC 1 report works when the user base is primarily US-based and the few European user auditors are willing to perform the equivalence assessment. If the service organisation has a large European client base and regulatory expectations from the AFM or another European supervisor, ISAE 3402 is the safer default.

The decision tree for a service organisation’s management is straightforward. When all user auditors operate under ISA, issue an ISAE 3402 report. When all user auditors operate under AICPA standards, issue a SOC 1 report. For a mixed user base, issue an ISAE 3402 report and include a reference in the engagement terms to AICPA AT-C 320 equivalence if the service auditor is willing to make that representation. Some service auditors issue a dual-reference report that cites both standards, though this is less common and requires the service auditor to be competent under both frameworks.

Worked example: Groot Salarisverwerking B.V.

Client scenario

Groot Salarisverwerking B.V. is a Dutch payroll processor with €28M in revenue. It processes payroll for 340 client companies, two of which are subsidiaries of a US-listed group audited by a PCAOB-registered firm. The remaining 338 clients are Dutch or European entities with auditors operating under ISA. Groot Salarisverwerking commissions an annual ISAE 3402 Type 2 report from its service auditor, Van Dijk Audit B.V.

Step 1: Determine which standard the report was issued under

You’re the user auditor for Bakker Logistics B.V., one of Groot Salarisverwerking’s 338 European clients. You receive the ISAE 3402 Type 2 report. The first thing you verify is the service auditor’s opinion paragraph: it references ISAE 3402, the description is as of and for the 12-month period ending 30 September 2025, and the opinion is unqualified.

Documentation note: Record the standard under which the report was issued (ISAE 3402), the report period, the report type (Type 2), and whether the opinion is qualified or unqualified. File a copy of the opinion page in the working paper file. Reference ISA 402.12 .

Step 2: Evaluate the period covered

Bakker Logistics has a 31 December year-end. The ISAE 3402 report covers 1 October 2024 to 30 September 2025. There’s a three-month gap between the report period end and the client’s year-end. ISA 402.14 requires you to determine what additional audit procedures are needed for that gap period. You could request a bridge letter from the service organisation confirming no material changes to controls since 30 September, or perform additional substantive procedures on October through December payroll transactions.

Documentation note: Record the gap between the report period and the client’s financial year-end. Document the additional procedures performed to cover the gap period. If a bridge letter was obtained, file it. Reference ISA 402.14 .

Step 3: Evaluate complementary user entity controls

The ISAE 3402 report identifies four CUECs. One states that the user entity must reconcile the monthly payroll summary report from Groot Salarisverwerking to the general ledger payroll accounts. You test whether Bakker Logistics performs this reconciliation. It does, monthly, with the most recent reconciliation dated November 2025.

Documentation note: List each CUEC from the report. For each, document whether the user entity has implemented the control and the evidence obtained. If a CUEC is not implemented, document the impact on audit reliance and the alternative procedures performed. Reference ISA 402.16 .

Step 4: Determine whether any subservice organisations are carved out

The report uses the carve-out method for AWS, which hosts Groot Salarisverwerking’s payroll platform. The report excludes AWS infrastructure controls. You evaluate whether AWS controls are relevant to Bakker Logistics’ financial statement assertions. Given that Groot Salarisverwerking’s application-level controls (access management, processing controls, output reconciliations) are covered in the report, and the financial statement risk relates to payroll accuracy rather than infrastructure availability, you conclude that the AWS carve-out does not create a gap in your audit evidence for Bakker Logistics.

Documentation note: Identify any subservice organisations carved out of the report. Document the assessment of whether the carved-out controls are relevant to the user entity’s financial statements. Record the conclusion and the basis for it. Reference ISA 402.13 .

The file now contains the ISAE 3402 Type 2 report, a documented evaluation of the service auditor’s competence and the standard used, the gap period procedures, the CUEC assessment, and the subservice organisation carve-out evaluation. A reviewer would see a complete chain from the service organisation’s controls to the audit evidence relied upon for the payroll cycle.

Practical checklist for evaluating a service organisation report

Verify the standard under which the report was issued. If the report is a SOC 1 (SSAE 18 / AT-C 320) and your audit is conducted under ISA, document your assessment that the SOC 1 engagement was performed to a standard at least equivalent to ISAE 3402 ( ISA 402.12 ).
Check the report period against your client’s financial year-end. If there’s a gap, determine whether a bridge letter, a subsequent events confirmation from the service organisation, additional substantive testing, or a combination addresses the gap ( ISA 402.14 ).
Read the CUECs in full. For each CUEC, test whether the user entity has implemented it. If any CUEC is missing, you cannot rely on the related control objective without alternative procedures ( ISA 402.16 ).
Identify any subservice organisations that were carved out. Evaluate whether the carved-out controls are relevant to your client’s financial statement assertions and, if so, what additional evidence you need.
Read the service auditor’s opinion for qualifications. If the opinion is qualified, evaluate whether the qualification affects the control objectives you’re relying on. A qualification relating to a control objective outside your scope of reliance may not require further action. A qualification on a control objective you depend on requires alternative audit procedures.
File the opinion page, your evaluations, and your conclusions in one working paper section rather than scattering them across multiple files. ISA 402 compliance is one of the areas where AFM inspectors check for a complete, traceable chain of evidence.

ISAE 3402 Audit Template Pack: The ciferi ISAE 3402 workbook covers the service auditor side of the engagement, including the Type 2 testing matrix, control objective documentation, and management assertion templates.
Quality management system: Glossary entry covering ISQM 1’s quality management framework, which governs how your firm evaluates the competence of service auditors whose reports you rely on.

If you’re working under the ISAE framework, the ISAE 3402 Audit Workbook is built for it. Every paragraph reference, report template, control classification, and scoping decision follows the international standard rather than SSAE 18.

ISAE 3402 Audit Workbook

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Can a european user auditor rely on a SOC 1 report instead of an ISAE 3402 report?

Yes, but the user auditor must document an assessment that the SOC 1 engagement was performed to a standard at least equivalent to ISAE 3402. ISA 402.12 requires the user auditor to evaluate the professional competence of the service auditor and the standards under which the report was issued. Most European user auditors accept SOC 1 reports from US-based service organisations because the standards are substantively equivalent, but this equivalence is a judgment that must be documented on the file.

Should a service organisation with both european and US clients issue a SOC 1 or ISAE 3402 report?

For a mixed user base, ISAE 3402 is generally the safer default. Most US user auditors will accept an ISAE 3402 report from a non-US service organisation, while a European user auditor receiving a SOC 1 must perform and document an equivalence assessment. Some service auditors issue a dual-reference report citing both standards, though this requires competence under both frameworks.

What is the difference between type 1 and type 2 reports?

A Type 1 report covers the design of controls at a point in time. A Type 2 report covers both design and operating effectiveness over a period, typically 12 months. For audit reliance purposes, Type 2 is what user auditors need in almost every case, because ISA 402.15 requires evidence that controls operated effectively during the period under audit, not just that they existed at a single date.

What should you do when the report period doesn't cover your client's full year-end?

ISA 402.14 requires you to determine what additional audit procedures are needed for the gap period between the report period end and the client's year-end. Options include requesting a bridge letter from the service organisation confirming no material changes to controls, or performing additional substantive procedures on transactions in the gap period.