ISAE 3402 Workbook

The audit file that
survives the review.

Skip the 30-hour blank-Excel scramble. Open a structured engagement file where every judgment call is prompted, every paragraph reference is verified, and every tab cross-references the next, ready for partner review on day one.

Get Instant Access — €249 €249 · one-time purchase · instant download · Excel + PDF
All ISAE 3402 paragraph references verified
AFM & PCAOB deficiency patterns addressed
Golden thread across all 7 tabs
95 judgment prompts
ISA 530 sample size tables embedded
The problem

You got assigned your first ISAE 3402.
You opened a blank Excel.

When the engagement lands, most seniors reverse-engineer the standard and build the file from scratch, under time pressure, with no reference point for what defensible actually looks like.

23
Files with insufficient evidence

The AFM's 2025 fraud risk investigation reviewed 32 ISAE 3402 files across 13 Dutch firms. 23 had insufficient evidence. They called it the third and final warning.

5
Recurring deficiency patterns

Clustered sampling. Inquiry alone. No pre-defined deviation criteria. IPE not tested. Design confused with OE. These aren't obscure errors. They're in the standard. They keep appearing because the right framework doesn't exist in the file.

30+
Hours to build this from scratch

That's the realistic estimate for a senior building a defensible 28-column control matrix, risk assessment, testing protocol, and gap analysis from first principles. At your billing rate, that's €2,400–6,000 of your time.

0
Useful free templates online

There are surface-level explainers everywhere. There are no working templates that embed the judgment calls, paragraph references, and cross-references that make a file survive a regulatory inspection.

23/32
AFM 2025 fraud investigation finding

Files reviewed across 13 Dutch audit firms found insufficient evidence, specifically around IPE testing and the reliance on inquiry as a standalone procedure. This is the regulatory environment your next ISAE 3402 file will be reviewed against.

The difference

What changes when the file is already built.

Without the workbook
30+ hours building the file from a blank Excel before the engagement starts
Wrong sampling paragraph references copied from firm to firm (A47–A54 instead of Para. 24–29)
IPE columns missing entirely (the #1 PCAOB deficiency area in 2024)
Key/Non-Key classification with no written rationale (flagged by both AFM and PCAOB)
Partner review generates a list of structural questions you can't answer on the spot
With the workbook
10–15 minutes to set up. Engagement-specific details filled in, everything else already built.
Every paragraph reference verified against the standard, with corrections included where the industry gets it wrong
IPE flagging built into the control matrix with completeness and accuracy testing prompted separately
Amber-highlighted K/NK column with a required written rationale. The judgment is documented before the review
Risk IDs link through every tab. The partner traces from risk to opinion in a single pass
What's inside

Seven tabs. Everything connected.

Seven tabs, one connected system. Open any tab and the cross-references tell you exactly where the inputs came from and where the outputs go.

0
Start Here

Hand the file to a junior and they can start working immediately. A plain-language setup guide walks through the entire structure in 10–15 minutes. No onboarding call, no instruction manual.

Setup: 10–15 minutes
Principles cross-referenced to standard paragraphs
Designed so a junior can follow it alone
1
Dashboard

Know exactly where you stand before partner review, without manually tallying anything. Control counts, testing status, open gaps, and sign-off progress update automatically as you work through the other tabs.

Auto-calculated control and testing status
Gap severity breakdown at a glance
Sign-off progress tracker
No manual updating required
2
Control Matrix: 28 columns

Stop guessing what your reviewer will challenge. Amber-highlighted judgment columns flag the exact IPE and Key/Non-Key decisions that trigger review notes, with judgment prompts explaining what a defensible answer looks like.

28 columns across 4 blocks
11 fully populated example controls across 7 objectives
Dropdowns on all classification fields
Judgment prompts on every header
3
Risk Assessment: 19 columns

Document the risk rationale once and have it flow into your testing plan automatically. Three-layer assessment with service-organisation-specific risk factors already embedded. No more scrambling to justify your selections at review.

Inherent + Control Environment + Combined layers
Fraud risk documentation per ISAE 3000
ISA 315 applied by analogy, correctly referenced
Change from prior year tracked
4
Testing Protocol: 20 columns

Avoid the five most common testing errors before fieldwork begins. A built-in planning block forces the right decisions up front, with corrected paragraph references (sampling is Para. 24–29, not the A47–A54 most files cite).

Pre-defined deviation criteria section
ISA 530 sample size quick reference embedded
IPE testing steps integrated
TDR vs. observed rate tracking
5
Gap Analysis: 18 columns

Catch qualification triggers before the partner does. A nine-item sign-off checklist must clear before the report can be dated, with severity ratings tied directly to the Para. 53–55 opinion thresholds that determine whether a finding qualifies.

Design vs. OE deficiency correctly distinguished
Compensating control 7-element framework
Aggregation assessment (Linford & Co method)
EQCR trigger linked to ISQM 2 A25–A27
+
Bridge Letter: PDF

Stop drafting the gap period letter from scratch every engagement. A ready-to-use management representation letter covers the period between your report date and the user entity's year-end. Just fill in the dates and entity details.

Gap acceptability: 0–3 / 3–6 / 6+ months guidance
Carve-out vs. inclusive method handled
Executive-only signature requirement explained
ISA 402 user auditor reliance guidance
CUEC Register

Give the user entity clear, documented testing responsibilities from day one. Six pre-populated CUECs covering access management, payroll, change management, journal entries, treasury, and incident reporting, ready to expand for your engagement.

Assumed in design vs. additional CUECs distinguished
User entity testing responsibility documented
Evidence expected from user entities
Prior period status tracked
Peek inside

This is what the control matrix actually looks like.

Real column headers. Real judgment prompts. Real example controls. Not a mockup. This is the structure you open on day one.

Start Here
Dashboard
Control Matrix
Risk Assessment
Testing Protocol
Gap Analysis
Control ID Objective Control Description Type Key / Non-Key IPE Risk ID Link
CTL-01 Access Management Quarterly user access reviews performed by IT manager with sign-off Detective Key: single control addressing CO-01 with no compensating control Yes, relies on system-generated user listing RA-01
CTL-02 Change Management All production changes require documented approval before deployment Preventive Key: no alternative control exists for unauthorized changes No RA-03
CTL-03 Processing Integrity Automated reconciliation of input and output transaction counts daily Detective Non-Key: compensating control CTL-04 addresses same risk Yes, relies on system-generated reconciliation report RA-05
Hover comment on "Key / Non-Key" column: Document your rationale covering three questions: (1) What risk does this control address? (2) Does a compensating control exist? (3) What would happen if this control failed? Vague K/NK classification is flagged by both AFM and PCAOB. This column removes the ambiguity. See Para. 17 and A14–A15.

Start with the free control matrix

The 28-column structure, all headers, judgment prompts, and dropdown classifications: no pre-populated examples, no connected tabs. Download this first if you want to see the foundation before committing to the full workbook.

No spam. We're auditors, not marketers.
Why it survives review

Built around what regulators actually check.

Golden thread
Every tab cross-references every other tab. Risk ID in the Risk Assessment links to the Control Matrix. Control ID in the Control Matrix links to the Testing Protocol. The Testing Protocol links to the Gap Analysis. A partner or reviewer can trace from identified risk to opinion conclusion in a single pass. The most common structural question in partner reviews, answered before it's asked.
IPE identification
The #1 PCAOB 2024 deficiency area. Any control relying on a system-generated output gets an IPE flag. The file prompts completeness and accuracy testing separately, with the exact question the PCAOB asks: did you test that the report contained all items it should, and that those items were correctly stated? AT-C 205.36 referenced throughout.
Key/Non-Key rationale
The judgment is documented in writing, before the review. The amber K/NK column requires a written rationale covering: what risk this addresses, whether any compensating control exists, and what would happen if this control failed. The AFM and PCAOB both flag vague K/NK classification. The rationale column removes the ambiguity.
Sampling references
Corrected paragraph references that most files get wrong. ISAE 3402 sampling guidance is in Para. 24–29 and A28–A36. Not A47–A54 (those cover modified opinions). A callout in the Testing Protocol explains the correction. The sample size table is cross-referenced to ISA 530 applied by analogy via ISAE 3000.
Deviation reporting
Per Para. A18, deviations appear in test results even when mitigated. The file documents this explicitly: compensating controls reduce severity. They don't erase the exception. This distinction matters at partner review and in regulatory inspection. The Gap Analysis nine-item checklist enforces it.
Aggregation
Individual Low or Medium findings can combine to a qualification-level finding. The Gap Analysis includes a dedicated aggregation summary section that must be completed before partner sign-off. The Linford & Co aggregation framework is embedded. An EQCR trigger links directly to ISQM 2 A25–A27.

SAMPLE JUDGMENT PROMPTS

Prompt 12 · Tab 2: Risk Assessment

"Has management identified all sub-service organisations and documented the nature of services each provides to user entities?"

Reference: ISAE 3402.A14

Prompt 47 · Tab 4: Control Testing

"For each key control, have you documented the nature, timing, and extent of testing performed, including the rationale for sample sizes selected?"

Reference: ISAE 3402.33(b)

Prompt 78 · Tab 6: Deviation Reporting

"Where deviations were identified, have you assessed whether they represent isolated incidents or systemic control failures, and documented the basis for that conclusion?"

Reference: ISAE 3402.40-41

3 of 95 judgment prompts. The full workbook covers scoping through reporting.

Ready to stop building the file from scratch?
€249 one-time · 60-day guarantee · instant download
Get Instant Access — €249

HOW CIFERI COMPARES

Free (IFAC/ICAI) ciferi Enterprise (Mercia/CaseWare)
Price Free €249 one-time €1,000–3,000/year
Format PDF guidance Editable Excel + PDF Locked in platform
ISA coverage General guidance Paragraph-level mapping Full methodology
Software needed None Excel only Proprietary platform
Updates Sporadic Free when standards change Included in subscription
The calculation

The alternative is more expensive than you think.

The real comparison isn't €249 versus a free template. It's €249 versus the cost of building this yourself, or the cost of a finding.

€4,000
Build it yourself
30–40 hours × €80–150/hour billing rate. Before the engagement starts. Under deadline pressure. With no reference point for what defensible looks like.
€375/hr
External consultant review
€250–500 per hour for a specialist to review your workpapers. One session to identify the IPE gaps, the K/NK rationale issues, the sampling spread problem.
€249
This workbook
One-time. Instant download. Built around the exact deficiency patterns the AFM and PCAOB have documented. Ready to use in the next engagement.
Most mid-tier firm managers have petty cash budgets bigger than €249. At €249, this costs less than two hours of your billing rate. One AFM finding costs more in remediation and reputation than this workbook will ever cost.

The 8-Hour Promise

Use the workbook on your next engagement. If you haven't saved at least 8 hours compared to building the file from scratch, email [email protected] within 60 days and get a full refund. No questions asked. The workbook either saves you time or it costs you nothing.

Ready to use today

ISAE 3402 Audit Workbook

249

One-time payment · VAT included · Instant download

Less than €35 per engagement when used on 7 audits.

Excel workbook: 7 tabs, 28-column control matrix, 95 judgment prompts
11 fully populated example controls across seven control objectives
CUEC Register with six pre-populated CUECs covering access management, payroll, change management, journal entries, treasury, and incident reporting
Bridge Letter PDF: gap period coverage, carve-out/inclusive method, user auditor guidance
All ISAE 3402 paragraph references verified (sampling correction included)
ISA 530 sample size table, AFM deficiency callouts, ISQM 2 EQR trigger
Free updates when standards change
Get Instant Access — €249

Forward to your quality partner →

Visa · Mastercard · PayPal · iDEAL · SEPA

60-day guarantee: if you haven't saved 8 hours, email us and we'll refund you in full.

Who this is for

Built for auditors who are actually doing this work.

Sole practitioners

Running ISAE 3402 engagements without a firm methodology team. Need a file structure that passes quality review without building one from scratch.

Mid-tier seniors & managers

At BDO, Grant Thornton, Mazars, Baker Tilly, or similar. Assigned the engagement and looking for a reference point for what defensible actually looks like.

Internal auditors

Preparing for an external ISAE 3402 review who want to see exactly what the auditor will check and fix gaps before they arrive.

CFOs & compliance leads

Going through their first SOC 1 / ISAE 3402 engagement and need to understand the deliverable their auditor should be producing.

This workbook is not for you if:

  • Your firm already has a proprietary ISAE 3402 methodology (Big 4 firms, for example)
  • You need a training course. This workbook assumes you understand the standard
  • You only need a single checklist, not a full engagement file (see our free checklists instead)

The answer is yes.

Is this based on current ISAE 3402 requirements?

Every tab maps to specific ISAE 3402 paragraphs. Updated for current IAASB guidance.

Will it work for my firm's methodology?

Fully customisable. Adapt every prompt, add your firm's branding, modify the structure to match your approach.

Can I use it on multiple engagements?

Unlimited use. One purchase, every engagement. No per-client or per-year licensing.

Is it up to date?

Current as of March 2026. Free updates when standards change — you will receive the updated file by email.

Does it work for SOC 1 engagements?

Yes. ISAE 3402 and SOC 1 share the same underlying framework. The workbook covers both.

Will my data be secure?

It is an Excel file on your own computer. No cloud upload, no third-party access, no account required.

Can I try before I buy?

The 60-day guarantee means you can use it on a real engagement. If it does not save you time, you get a full refund.

Common questions

Questions

Who is this for?

Anyone responsible for an ISAE 3402 or SOC 1 engagement who needs a defensible file structure without building one from scratch. Sole practitioners, mid-tier seniors (BDO, Grant Thornton, Mazars, Baker Tilly), internal auditors preparing for external review, and CFOs going through their first engagement. Not for practitioners who've never opened the standard.

How long does it take to set up?

10–15 minutes to input your service organization's name, audit period, and engagement type across the tabs. The example rows and judgment prompts are already populated. You're adapting a working file, not filling a blank one.

Is this up to date with current standards?

Yes. References include ISAE 3402 (current), ISA 530 applied by analogy, AT-C 205.36 for IPE, ISQM 2 for EQR triggers, ISA 402 for the bridge letter, and AFM and PCAOB findings through 2025 including the 2024 PCAOB Staff Alert on IPE deficiencies.

Does this work for SOC 1 engagements?

Yes. The control matrix, testing protocol, and gap analysis translate directly. The structural requirements under SSAE 18 (the US equivalent) are substantively the same. The bridge letter explicitly covers ISAE 3402 / SSAE 18. Where US-specific references are relevant (AT-C 205) they're included.

Can I use this at my firm?

Yes, for your own engagements. The license covers use across your client engagements. It doesn't cover redistribution or resale as a firm-wide licensed template. Contact ciferi.com if you need firm licensing.

What if the standards change?

You get free updates. When ISAE 3402 is revised or when new AFM/PCAOB guidance materially affects the deficiency patterns in the file, the workbook is updated and existing buyers get the new version at no charge.

What is your refund policy?

We offer a 60-day results guarantee. If you've used the workbook and haven't saved at least 8 hours on your engagement, email [email protected] within 60 days of purchase and we'll refund you in full. No questions asked. See our full refund policy.

Further reading

Deep dives on ISAE 3402

ISAE 3402 Service Organisation Controls: The Complete Guide How to Build an ISAE 3402 Control Matrix ISAE 3402 Gap Analysis: From Deviation to Opinion Why Your ISAE 3402 Sampling References Are Probably Wrong Complementary User Entity Controls (CUECs) Explained

You may also need

ISA 240 Fraud Risk Assessment Toolkit

Fraud brainstorming agenda, risk matrix, journal entry testing templates, and management override procedures.

View toolkit

Not ready to buy?

Free Audit Checklists

8 ISA inspection readiness scorecards. Score your file against regulator findings in 5 minutes.

See free checklists
ISAE 3402 Audit Workbook €249 Get Instant Access — €249