What is ISAE 3402?
Your client outsources payroll to a third party. The payroll numbers flow straight into the financial statements, but your team can't walk into the service provider's office and test those controls directly. You need someone else's evidence. That gap is where most user auditors start worrying, and it's where ISAE 3402 sits.
ISAE 3402 is the international standard that lets a service auditor examine controls at a service organization and produce a report the user auditor can rely on under ISA 402 . When a user entity outsources a process affecting its financial reporting (payroll, pension administration, payment processing, fund accounting), the standard provides the mechanism for obtaining that assurance.
The service auditor examines the service organization's description of its system and evaluates whether controls are suitably designed. For a Type II report, the service auditor also tests whether those controls operated effectively over a period. Scope is limited to controls relevant to user entities' financial reporting (ISAE 3402.3). Controls that serve only operational or compliance purposes fall outside the standard's boundary.
ISAE 3402.13 requires a written assertion from the service organization's management as a precondition. Without it, the service auditor can't issue the report. This assertion covers the fairness of the system description, the suitability of control design, and (for Type II) the operating effectiveness of controls throughout the period.
An ISAE 3402 report is a reasonable assurance engagement. Not limited assurance. Not agreed-upon procedures. And it's not an audit opinion on the service organization's financial statements.
Key Points
- ISAE 3402 is the standard behind service organization reports that user auditors rely on under ISA 402 .
- Two report types exist: Type I covers design at a date, Type II adds operating effectiveness over a period.
- The service auditor's report is a reasonable assurance engagement, not limited assurance or agreed-upon procedures.
- An ISAE 3402 report is not an audit opinion on the service organization's financial statements.
Why it matters in practice
Worked example: VanderBerg Pensioenservices B.V.
Client: Dutch pension administration company, €2.1B assets under management, servicing 14 pension funds. ISAE 3402 Type II report for January–December 2024.
The system boundary covers contribution processing, benefit calculations, participant data maintenance, and investment transaction recording. The service organization's management provides the written assertion required by ISAE 3402.13, confirming the description is fairly presented and controls are suitably designed and operating effectively.
Across 12 control objectives, the service auditor tests 47 individual controls for operating effectiveness over the full twelve-month period, selecting samples and inspecting evidence of performance. Much of this is ticking and bashing: does the approval match the policy, does the output match the input, does the timestamp fall within the control window.
One exception surfaces. A participant data change processed in April 2024 went through without the required independent review. That change was a salary update, which directly affects benefit calculations. The service auditor reports it per ISAE 3402.42.
Report outcome: unmodified opinion, but the exception is noted. Each of the 14 pension fund auditors (the user auditors) now has to evaluate whether this specific exception affects the assertions they're testing in their own engagements. For a fund where the affected participant is a member, the user auditor tests whether the unreviewed salary change caused a misstatement in benefit payments or liability calculations.
What reviewers get wrong
Service auditors sometimes describe the system boundary too broadly, pulling in processes that don't affect user entities' financial reporting. ISAE 3402.9(a) requires the description to cover only controls relevant to user entities' internal control over financial reporting.
The NBA has noted that some reports lack sufficient detail in the description of tests performed and results obtained. ISAE 3402.42 requires enough detail for user auditors to assess the relevance and reliability of the evidence. A summary statement that "controls operated effectively" without describing the nature, timing, and extent of testing doesn't meet the standard.
Nobody on the user audit team can do anything useful with a one-line conclusion. You've waited three months for the report, it finally arrives, and it tells you nothing about what was actually tested. That's the report that generates the most review notes.
ISAE 3402 vs SOC 1
| Dimension | ISAE 3402 | SOC 1 (SSAE 18) |
|---|---|---|
| Issuing body | IAASB (international) | AICPA (United States) |
| Jurisdiction | European and international | Primarily US |
| Report types | Type I and Type II | Type 1 and Type 2 |
| Underlying framework | ISAE 3000 (Revised) | AT-C Section 320 |
| EU acceptance | Accepted directly | Accepted by many, some require ISAE 3402 |
Key standard references used here
- ISAE 3402.3: Scope (assurance reports on controls at a service organization relevant to user entities' financial reporting).
- ISAE 3402.9(a): The service organization's description must cover only controls relevant to user entities' internal control over financial reporting.
- ISAE 3402.13: Written assertion from service organization management is a precondition for the engagement.
- ISAE 3402.42: Description of tests performed and results obtained, including exceptions, in the service auditor's report.
- ISA 402 : The user auditor's responsibilities when the user entity uses a service organization.
Related terms
Related reading
Frequently asked questions
Is an ISAE 3402 report an audit opinion?
No. It is an assurance report on controls at a service organization, not an opinion on the service organization's financial statements. It provides evidence that user auditors can rely on under ISA 402.
What is the difference between Type I and Type II under ISAE 3402?
A Type I report covers design of controls at a specific date. A Type II report adds testing of operating effectiveness over a period, providing stronger evidence for user auditors.