SOC 1 vs ISAE 3402: Key Differences for European Auditors

What problem do both standards solve?

A Dutch payroll provider processes salaries for 340 companies. Two of its clients are US-listed. Fourteen are Dutch. US-listed clients want a SOC 1 report. Dutch clients want an ISAE 3402 report. The provider's management asks whether one report can satisfy both groups. The answer depends on what's in the report, who signs it, and which regulatory framework governs the user auditors relying on it.

When an entity outsources a process that affects its financial reporting (payroll, fund administration, IT hosting, claims processing), the entity's auditor still needs assurance over the controls operating at the service organisation. ISA 402.2 makes this the user auditor's responsibility: you must obtain sufficient appropriate audit evidence about the service organisation's controls if those controls are relevant to the user entity's financial statements.

Both SOC 1 and ISAE 3402 exist to provide that evidence in a standardised format. A service auditor examines the service organisation's controls and issues a report that user auditors can rely on. The reports come in two types under both frameworks. A Type 1 report covers the design of controls at a point in time. A Type 2 report covers both design and operating effectiveness over a period, typically 12 months. For audit reliance purposes, Type 2 is what user auditors need in almost every case, because ISA 402.15 requires evidence that controls operated effectively during the period under audit.

The two standards are close cousins. ISAE 3402 was developed with deliberate alignment to the predecessor of SOC 1 (SAS 70), and the IAASB maintained that alignment when SAS 70 was replaced by SSAE 16 and later by SSAE 18. The control objectives, the Type 1/Type 2 distinction, the structure of the service auditor's report, and the requirement for management's description of the system are all conceptually identical. The differences are in the details, and those details matter when a user auditor in one jurisdiction receives a report issued under the other jurisdiction's standard.

Where the standards diverge

The differences between SOC 1 and ISAE 3402 fall into four categories, each with practical consequences for the user auditor evaluating the report.

Governing body and regulatory acceptance

SOC 1 operates under AICPA standards (SSAE 18, specifically AT-C 320). ISAE 3402 operates under IAASB standards. A user auditor in the Netherlands conducting an audit under Dutch law and ISA can rely on an ISAE 3402 report without additional justification. Relying on a SOC 1 report requires the user auditor to evaluate whether the SOC 1 engagement was performed to a standard at least equivalent to ISAE 3402, because the Dutch regulatory framework references international standards, not AICPA standards.

ISA 402.12 requires the user auditor to evaluate the professional competence of the service auditor and the standards under which the report was issued. If the service auditor performed the engagement under SSAE 18 but the user auditor's framework expects ISAE 3402, that evaluation must be documented.

In practice, most European user auditors accept SOC 1 reports from US-based service organisations because the standards are substantively equivalent. But "substantively equivalent" is a judgment the user auditor must make and document on the file, not an assumption.

Report content and complementary user entity controls (CUECs)

Both standards require the service organisation's description to identify complementary user entity controls, which are the controls that user entities must have in place for the overall control objectives to be achieved. Under ISAE 3402.Appendix 2, these CUECs are included in the system description and the service auditor's opinion covers whether the description fairly presents the system (including the CUECs).

European user auditors working under ISA 402.15 and ISA 402.16 must evaluate whether the user entity has implemented the CUECs identified in the report. This evaluation is a required audit procedure, not a box-tick. If the ISAE 3402 report states that the control objective for payroll accuracy assumes the user entity reconciles payroll reports to the general ledger monthly, and the user entity doesn't perform that reconciliation, the user auditor cannot rely on the service organisation's controls for that objective.

SOC 1 reports in the US market often include a more granular list of CUECs because the user auditor population is larger and more diverse. For a European user auditor receiving a SOC 1, the CUEC section is usually the most practically useful part of the report for planning the audit approach.

Inclusive method vs. carve-out method for subservice organisations

Both standards address subservice organisations. Under both frameworks, the report can either include the subservice organisation's controls (the inclusive method) or exclude them and identify the subservice organisation as a carve-out.

SOC 1 reports from US service organisations more frequently use the carve-out method, particularly for cloud hosting providers (AWS, Azure, Google Cloud). This means the SOC 1 report excludes the cloud provider's controls, and the user auditor must separately evaluate whether those controls are relevant and whether a separate report on the subservice organisation is needed.

Service auditor's opinion wording

The opinion paragraph differs between the two standards. Under ISAE 3402.49, the service auditor opines that the description fairly presents the system, the controls were suitably designed, and (for Type 2) the controls operated effectively throughout the period. Under SOC 1 (AT-C 320.35), the opinion language is similar but uses AICPA-specific terminology. A European user auditor reading a SOC 1 opinion needs to map the AICPA terminology to the ISAE 3402 equivalents to determine whether the opinion scope covers the same ground.

When can one report satisfy both requirements?

Service organisations with both European and US clients often prefer to issue a single report rather than commissioning two separate engagements. ISAE 3402 is the more common choice for the single-report approach, because ISAE 3402 is an international standard and most US user auditors will accept an ISAE 3402 report from a non-US service organisation.

The reverse is less reliable: a European user auditor receiving a SOC 1 report must document the equivalence assessment, which adds work to the file.

The decision tree for a service organisation's management is straightforward:

• All user auditors operate under ISA: issue an ISAE 3402 report
• All user auditors operate under AICPA standards: issue a SOC 1 report
• Mixed user base: issue an ISAE 3402 report and include a reference in the engagement terms to AICPA AT-C 320 equivalence if the service auditor is willing to make that representation

Some service auditors issue a dual-reference report that cites both standards, though this is less common and requires the service auditor to be competent under both frameworks.

Worked example: Groot Salarisverwerking B.V.

Client scenario: Groot Salarisverwerking B.V. is a Dutch payroll processor with €28M in revenue. It processes payroll for 340 client companies, two of which are subsidiaries of a US-listed group audited by a PCAOB-registered firm. The remaining 338 clients are Dutch or European entities with auditors operating under ISA. Groot Salarisverwerking commissions an annual ISAE 3402 Type 2 report from its service auditor, Van Dijk Audit B.V.

Step 1: Determine which standard the report was issued under

You're the user auditor for Bakker Logistics B.V., one of Groot Salarisverwerking's 338 European clients. You receive the ISAE 3402 Type 2 report. The first thing you verify is the service auditor's opinion paragraph: it references ISAE 3402, the description is as of and for the 12-month period ending 30 September 2025, and the opinion is unqualified.

Step 2: Evaluate the period covered

Bakker Logistics has a 31 December year-end. The ISAE 3402 report covers 1 October 2024 to 30 September 2025. There's a three-month gap between the report period end and the client's year-end. ISA 402.14 requires you to determine what additional audit procedures are needed for that gap period. You could request a bridge letter from the service organisation confirming no material changes to controls since 30 September, or perform additional substantive procedures on October through December payroll transactions.

Step 3: Evaluate complementary user entity controls

The ISAE 3402 report identifies four CUECs. One states that the user entity must reconcile the monthly payroll summary report from Groot Salarisverwerking to the general ledger payroll accounts. You test whether Bakker Logistics performs this reconciliation. It does, monthly, with the most recent reconciliation dated November 2025.

Step 4: Determine whether any subservice organisations are carved out

The report uses the carve-out method for AWS, which hosts Groot Salarisverwerking's payroll platform. The report excludes AWS infrastructure controls. You evaluate whether AWS controls are relevant to Bakker Logistics' financial statement assertions. Given that Groot Salarisverwerking's application-level controls (access management, processing controls, output reconciliations) are covered in the report, and the financial statement risk relates to payroll accuracy rather than infrastructure availability, you conclude that the AWS carve-out does not create a gap in your audit evidence.

The file now contains the ISAE 3402 Type 2 report, a documented evaluation of the service auditor's competence and the standard used, the gap period procedures, the CUEC assessment, and the subservice organisation carve-out evaluation.

Practical checklist for evaluating a service organisation report

1. Verify the standard under which the report was issued. If it's a SOC 1 (SSAE 18 / AT-C 320) and your audit is conducted under ISA, document your equivalence assessment (ISA 402.12).
2. Check the report period against your client's financial year-end. If there's a gap, determine whether a bridge letter, subsequent events confirmation, additional substantive testing, or a combination addresses it (ISA 402.14).
3. Read the CUECs in full. For each CUEC, test whether the user entity has implemented it. If any CUEC is missing, you cannot rely on the related control objective without alternative procedures (ISA 402.16).
4. Identify subservice organisations that were carved out. Evaluate whether the carved-out controls are relevant to your client's financial statement assertions and what additional evidence you need.
5. Read the opinion for qualifications. A qualification on a control objective you depend on requires alternative audit procedures.
6. File everything in one working paper section rather than scattering across multiple files. ISA 402 compliance is one of the areas where AFM inspectors check for a complete, traceable chain of evidence.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: The authoritative source for the complete ISAE 3402 and ISA 402 text.
• AICPA SSAE 18 (AT-C 320): The US standard governing SOC 1 engagements.
• ISA 402: Audit Considerations Relating to an Entity Using a Service Organisation.
• NBA Practice Notes: Dutch guidance on evaluating service organisation reports in the Dutch regulatory context.