What is ISAE 3402?
ISAE 3402 creates a framework for one auditor (the service auditor) to provide evidence that another auditor (the user auditor) can rely on. When a user entity outsources a process that affects its financial reporting — payroll, pension administration, payment processing, fund accounting — the user auditor needs assurance over the controls at the service organization. ISAE 3402 provides the mechanism.
The service auditor examines the service organization's description of its system and evaluates whether controls are suitably designed. For a Type II report, the service auditor also tests whether those controls operated effectively over a period. The scope is limited to controls relevant to user entities' financial reporting (ISAE 3402.3). Controls that serve only operational or compliance purposes fall outside the standard's boundary.
ISAE 3402.13 requires a written assertion from the service organization's management as a precondition for the engagement. Without it, the service auditor cannot issue the report. This assertion covers the fairness of the system description, the suitability of control design, and — for Type II — the operating effectiveness of controls throughout the period.
An ISAE 3402 report is a reasonable assurance engagement, not limited assurance or agreed-upon procedures. It is also not an audit opinion on the service organization's financial statements.
Key Points
- ISAE 3402 is the standard behind service organization reports that user auditors rely on under ISA 402.
- It produces two report types: Type I covers design at a date, Type II adds operating effectiveness over a period.
- The service auditor's report is a reasonable assurance engagement, not limited assurance or agreed-upon procedures.
- An ISAE 3402 report is not an audit opinion on the service organization's financial statements.
Why it matters in practice
Worked example: VanderBerg Pensioenservices B.V.
Client: Dutch pension administration company, €2.1B assets under management, servicing 14 pension funds. ISAE 3402 Type II report for the period January–December 2024.
System boundary: Contribution processing, benefit calculations, participant data maintenance, and investment transaction recording. The management assertion is obtained per ISAE 3402.13, confirming the description is fairly presented and controls are suitably designed and operating effectively.
Controls tested: 12 control objectives, 47 individual controls. The service auditor tests each control for operating effectiveness over the full twelve-month period, selecting samples and inspecting evidence of performance.
Exception identified: One exception is found — a participant data change processed in April 2024 without the required independent review. The change was a salary update that directly affects benefit calculations. The service auditor reports this per ISAE 3402.42.
Report outcome: Unmodified opinion with the exception noted. Each of the 14 pension fund auditors (the user auditors) must evaluate whether this specific exception affects the assertions they are testing in their own engagements. For a fund where the affected participant is a member, the user auditor tests whether the unreviewed salary change resulted in a misstatement in benefit payments or liability calculations.
What reviewers get wrong
Service auditors sometimes describe the system boundary too broadly, including processes that do not affect user entities' financial reporting. ISAE 3402.9(a) requires the description to cover only controls relevant to user entities' internal control over financial reporting.
The NBA has noted that some reports lack sufficient detail in the description of tests performed and results obtained. ISAE 3402.42 requires enough detail for user auditors to assess the relevance and reliability of the evidence — a summary statement that "controls operated effectively" without describing the nature, timing, and extent of testing is insufficient.
ISAE 3402 vs SOC 1
| Dimension | ISAE 3402 | SOC 1 (SSAE 18) |
|---|---|---|
| Issuing body | IAASB (international) | AICPA (United States) |
| Jurisdiction | European and international | Primarily US |
| Report types | Type I and Type II | Type 1 and Type 2 |
| Underlying framework | ISAE 3000 (Revised) | AT-C Section 320 |
| EU acceptance | Accepted directly | Accepted by many, some require ISAE 3402 |
Key standard references
- ISAE 3402.3: Scope — assurance reports on controls at a service organization relevant to user entities' financial reporting.
- ISAE 3402.9(a): The service organization's description must cover only controls relevant to user entities' internal control over financial reporting.
- ISAE 3402.13: Written assertion from service organization management is a precondition for the engagement.
- ISAE 3402.42: Description of tests performed and results obtained, including exceptions, in the service auditor's report.
- ISA 402: The user auditor's responsibilities when the user entity uses a service organization.
Related terms
Related reading
Frequently asked questions
Is an ISAE 3402 report an audit opinion?
No. It is an assurance report on controls at a service organization, not an opinion on the service organization's financial statements. It provides evidence that user auditors can rely on under ISA 402.
What is the difference between Type I and Type II under ISAE 3402?
A Type I report covers design of controls at a specific date. A Type II report adds testing of operating effectiveness over a period, providing stronger evidence for user auditors.