Side-by-side comparison
| Dimension | ISAE 3402 | SOC 1 (AT-C 320) |
|---|---|---|
| Issuing body | IAASB (International Auditing and Assurance Standards Board). | AICPA (American Institute of Certified Public Accountants). |
| Where it is used | Outside the US. Standard choice for European service organisations and for engagements where the user auditor follows ISAs. | United States. Most US-based service providers issue SOC 1 reports rather than ISAE 3402. |
| Type I and Type II | Both available. Same design-only vs operating-effectiveness distinction. | Both available. Same distinction. |
| Report recipients | Restricted to the service organisation and user entities (including their auditors). | Same restricted distribution. |
| European acceptance | Directly accepted by European regulators without equivalence assessment. | Accepted in practice, but the user auditor must document that AT-C 320 is equivalent to ISAE 3402 (ISA 402.A20). |
| Common in practice | Service organisations based in Europe, or US providers that serve a significant international client base. | US-based service organisations. Some large US providers issue dual reports (ISAE 3402 and SOC 1 combined). |
Key Points
- ISAE 3402 is the international standard; SOC 1 is the US standard. Both cover controls relevant to financial reporting.
- European user auditors should request an ISAE 3402 report, but a SOC 1 report is usually accepted if the equivalence is documented.
- The reports are structurally similar because AT-C 320 and ISAE 3402 were developed in parallel.
- Acceptance of a SOC 1 by a European user auditor requires an ISA 402 equivalence assessment in the file.
When the distinction matters on an engagement
The distinction surfaces when a European audit team receives a SOC 1 report from a US-based service provider. The report covers the right subject matter (controls over financial reporting) but was prepared under AT-C 320 rather than ISAE 3402.
ISA 402.A20 requires the user auditor to consider whether the service auditor's engagement was performed under standards that are at least as demanding as the ISAs. In practice, AT-C 320 and ISAE 3402 are closely aligned because the AICPA and IAASB developed them in coordination. But "closely aligned in practice" is not the same as "no documentation required."
The file must contain a brief equivalence assessment. One sentence is usually sufficient, but the sentence must exist. Without it, an inspection reviewer will ask why the team relied on a report prepared under a different framework without documenting the basis for acceptance.
Worked example: Heijmans Consultancy B.V.
Client: Dutch professional services firm, FY2024, revenue €31M, Dutch GAAP (RJ) reporter. Heijmans outsources its billing and accounts receivable management to two service providers.
Provider 1: FinServ Europe GmbH (based in Frankfurt)
FinServ provides an ISAE 3402 Type II report covering 1 January to 31 December 2024. The report addresses controls over invoice generation and accounts receivable reconciliation.
Documentation note: "ISAE 3402 Type II report obtained from FinServ Europe GmbH. Report prepared under international standards. Covers full audit period. No equivalence assessment required. Assessed service auditor's professional competence per ISA 402.13. Two exceptions noted in testing of cash receipts controls. Evaluated impact: exceptions relate to timing of posting, not to completeness. No additional procedures required."
Provider 2: BillTech Solutions Inc. (based in Austin, Texas)
BillTech provides a SOC 1 Type II report (AT-C 320) covering 1 October 2023 to 30 September 2024.
Documentation note: "SOC 1 Type II report obtained from BillTech Solutions Inc. Report prepared under AT-C 320 (AICPA). Per ISA 402.A20, assessed equivalence: AT-C 320 was developed in coordination with ISAE 3402 and imposes equivalent requirements for service auditor competence and reporting. AT-C 320 report accepted as equivalent to ISAE 3402. Report period ends 30 September 2024. Audit period ends 31 December 2024. Three-month gap exists. Per ISA 402.16, user auditor must obtain evidence for the uncovered period (1 October to 31 December 2024). Performed inquiry of management, reviewed subsequent events, confirmed no changes to controls at BillTech during Q4 2024."
If the team had filed the SOC 1 report without the equivalence sentence, the procedures would be identical but the documentation would fail an inspection review on the ISA 402.A20 point.
What reviewers get wrong
Files frequently contain SOC 1 or ISAE 3402 reports without documentation of whether the report period matches the audit period. The gap analysis required by ISA 402.16 is absent or incomplete. This is the same finding regardless of whether the report is ISAE 3402 or SOC 1.
For SOC 1 reports specifically, the equivalence assessment under ISA 402.A20 is often missing entirely. This does not mean the evidence is bad. It means the file does not explain why the team accepted a report prepared under a different framework. The fix is one sentence.
Key standard references
- ISAE 3402: International standard for reporting on controls at a service organisation.
- AT-C 320: US standard governing SOC 1 reports.
- ISA 402.A20: Requires equivalence assessment when the service auditor's report was prepared under a non-ISA framework.
- ISA 402.16: Addresses gaps between the report period and the audit period.
Related terms
Related reading
Frequently asked questions
Can a European auditor accept a SOC 1 report instead of an ISAE 3402 report?
Yes, but the file must contain an equivalence assessment. ISA 402.A20 requires the user auditor to consider whether the engagement was performed under standards at least as demanding as the ISAs. AT-C 320 and ISAE 3402 are closely aligned, so the assessment is typically brief, but the documentation must exist.
Do some service organisations issue dual reports?
Yes. Large US-based service providers that serve international clients often issue a combined ISAE 3402 and SOC 1 report. This satisfies both frameworks in a single document and eliminates the need for an equivalence assessment.