What is ISAE 3402?

ISAE 3402 (International Standard on Assurance Engagements 3402) is the framework for reporting on controls at a service organization that are relevant to user entities' financial reporting. It is the international equivalent of the AICPA's SOC 1 (SSAE 18) standard used in the United States.

The standard applies when a user entity outsources a process — such as payroll, payment processing, or fund administration — to a third-party service organization. Because those outsourced processes affect the user entity's financial statements, the user auditor needs assurance that the service organization's controls are properly designed and operating effectively.

ISAE 3402 reports are issued in two forms: Type I, which covers the design and implementation of controls at a point in time, and Type II, which covers both design and operating effectiveness over a period (typically 9 to 12 months). Type II reports provide stronger assurance because the service auditor tests whether controls actually operated as designed throughout the reporting period.

Key Points

  • Type I vs Type II. A Type I report confirms controls are suitably designed and implemented at a point in time. A Type II report goes further — the service auditor tests operating effectiveness over a period, providing evidence that controls worked consistently.
  • The user auditor cannot blindly rely. Receiving an ISAE 3402 report does not eliminate the user auditor's responsibility. They must evaluate the report, assess its relevance to the user entity's controls, and test any CUECs (complementary user entity controls) listed in the report.
  • Gap periods require attention. If the report period does not cover the user entity's full financial year, the user auditor must address the gap — typically through a bridge letter, roll-forward procedures, or additional testing.
  • Exceptions matter. Any control exceptions noted by the service auditor must be evaluated by the user auditor for their impact on the user entity's financial statements. An exception does not automatically mean a control failure, but it requires professional judgement.

Why it matters in practice

Worked example: Horizon Payroll Services

Dekker Accountancy audits Van der Berg Logistics, which outsources its payroll to Horizon Payroll Services. Horizon provides an ISAE 3402 Type II report covering 1 January to 30 September 2025. The user auditor's task is to evaluate the report and determine whether it supports reliance on payroll controls.

The report lists three controls relevant to payroll processing:

  • CO-02 — Payroll input validation. All payroll changes (new hires, terminations, salary adjustments) require dual authorization before processing. The service auditor tested 40 changes and found zero exceptions.
  • PR-02.3 — Payroll reconciliation. Total payroll output is reconciled to input data before payment files are released. The service auditor tested 12 monthly reconciliations and found one exception: March 2025 was reconciled two days after the payment file was released. The service auditor noted the exception but concluded the control was operating effectively overall.
  • CUEC-03 — User entity review of payroll reports. The report assumes that the user entity reviews monthly payroll summary reports for accuracy before posting journal entries. This is a CUEC — the user auditor must test it independently.

The user auditor documents the following conclusions: CO-02 provides sufficient evidence for input controls. PR-02.3 has one exception that requires evaluation — the auditor assesses whether the March timing delay resulted in any misstatement. CUEC-03 must be tested at Van der Berg Logistics by inspecting evidence that monthly payroll reports were reviewed and approved.

What reviewers catch

Regulatory inspections consistently flag weaknesses in how user auditors handle ISAE 3402 reports:

  • CPAB (Canada). User auditors accepted ISAE 3402 reports without evaluating whether the controls described were relevant to the specific assertions being tested. The report was filed but not analyzed.
  • PCAOB (US). Auditors failed to address gap periods between the report date and the user entity's year-end. No bridge letter was obtained, and no additional procedures were performed.
  • AFM (Netherlands). User auditors did not test CUECs, treating the ISAE 3402 report as complete assurance over the outsourced process without recognizing the user entity's own control responsibilities.

Type I vs Type II comparison

  • Coverage period. Type I covers a single date; Type II covers a period (typically 9-12 months).
  • Operating effectiveness. Type I does not test operating effectiveness; Type II does.
  • Reliance for substantive testing. Type I supports only limited reliance; Type II can support a controls-reliance strategy.
  • Typical use case. Type I is common for new service organizations or first-year engagements; Type II is expected for ongoing relationships.

Key standard references

  • ISAE 3402.1: Scope — assurance reports on controls at a service organization relevant to user entities' internal control over financial reporting.
  • ISAE 3402.9-10: Type I vs Type II report definitions and the service auditor's responsibilities for each.
  • ISA 402.7-8: The user auditor's responsibilities when the user entity uses a service organization, including evaluating the ISAE 3402 report.
  • ISA 402.15: Determining the sufficiency of the ISAE 3402 report as audit evidence for the user auditor's purposes.
  • ISAE 3402.A36: Complementary user entity controls (CUECs) and the service organization's responsibility to identify them.

Related terms

Bridge LetterCUECs (Complementary User Entity Controls)Audit SamplingFraud Risk Factors

Related tools

ISAE 3402 Audit Template Pack
ISAE 3402

Related reading

ISAE 3402: Service Organisation Controls Guide
Blog guide

Frequently asked questions

What is the difference between a Type I and a Type II report?

A Type I report covers the design and implementation of controls at a single point in time. A Type II report covers both design and operating effectiveness over a period (typically 9 to 12 months). Type II provides stronger assurance because the auditor tests whether controls actually operated as designed throughout the period, not just whether they existed on a given date.

Who is responsible for testing CUECs listed in an ISAE 3402 report?

The user auditor is responsible. CUECs are controls that the service organization assumed the user entity would implement. The service auditor does not test them. If the user auditor fails to identify and test CUECs, they cannot fully rely on the ISAE 3402 report for their assessment of control risk.

What happens when the ISAE 3402 report does not cover the full financial year?

The user auditor must address the gap period — the time between the end of the ISAE 3402 report period and the user entity's year-end. Common approaches include obtaining a bridge letter from service organization management, performing additional procedures over the gap period, or extending roll-forward testing. A gap of more than three months typically requires more than a bridge letter alone.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook