Five production-ready workpaper tabs with 95 embedded judgment prompts,
three fully documented example controls, and every paragraph reference
your reviewer will ask about — built by a practicing auditor, not a consultant.
You got assigned your first ISAE 3402. You opened a blank Excel.
Large firms have firm-wide methodology templates, maintained by dedicated technical teams.
Mid-tier firms don't. When the engagement lands, most senior associates reverse-engineer the
standard and build the file from scratch — under time pressure, with no reference point for
what defensible actually looks like.
23
Files with insufficient evidence
The AFM's 2025 fraud risk investigation reviewed 32 ISAE 3402 files across 13 Dutch firms. 23 had insufficient evidence. They called it the third and final warning.
5
Recurring deficiency patterns
Clustered sampling. Inquiry alone. No pre-defined deviation criteria. IPE not tested. Design confused with OE. These aren't obscure errors — they're in the standard. They keep appearing because the right framework doesn't exist in the file.
30+
Hours to build this from scratch
That's the realistic estimate for a senior associate building a defensible 28-column control matrix, risk assessment, testing protocol, and gap analysis from first principles. At your billing rate, that's €2,400–6,000 of your time.
0
Useful free templates online
There are surface-level explainers everywhere. There are no working templates that embed the judgment calls, paragraph references, and cross-references that make a file survive a regulatory inspection.
23/32
AFM 2025 fraud investigation finding
Files reviewed across 13 Dutch audit firms found insufficient evidence — specifically around IPE testing and the reliance on inquiry as a standalone procedure. This is the regulatory environment your next ISAE 3402 file will be reviewed against.
What's inside
Five tabs. Everything connected.
Every tab cross-references every other. Risk IDs trace from the Risk Assessment through the
Control Matrix into the Testing Protocol and out to the Gap Analysis. A reviewer can follow
the thread from identified risk to opinion conclusion without asking a single question.
0
Start Here
Six-step setup guide and seven key principles embedded in plain language. The file explains itself — no separate instruction manual, no onboarding call.
Setup: 10–15 minutes
Principles cross-referenced to standard paragraphs
Designed so a junior can follow it alone
1
Control Matrix — 28 columns
The complete identification, classification, linkage, and assessment framework. Amber-highlighted judgment columns for IPE and Key/Non-Key with hover guidance at the exact points where reviewers challenge.
28 columns across 4 blocks
3 fully populated example controls
Dropdowns on all classification fields
Hover comments on every header
2
Risk Assessment — 19 columns
Three-layer structure: Inherent Risk, Control Environment, Combined Assessment. Service-organisation-specific risk factors embedded. Forward linkage to Testing Protocol documented in every row.
Inherent + Control Environment + Combined layers
Fraud risk documentation per ISAE 3000
ISA 315 applied by analogy, correctly referenced
Change from prior year tracked
3
Testing Protocol — 20 columns
Planning block must be completed before fieldwork begins. Corrected paragraph references (sampling is Para. 24–29, not A47–A54). The five critical junior errors posted as a reference banner at the bottom.
Pre-defined deviation criteria section
ISA 530 sample size quick reference embedded
IPE testing steps integrated
TDR vs. observed rate tracking
4
Gap Analysis — 18 columns
Severity framework (Low/Medium/High) with Para. 53–55 opinion triggers. Aggregation assessment section. Nine-item mandatory sign-off checklist that must be complete before the partner can date the report.
Design vs. OE deficiency correctly distinguished
Compensating control 7-element framework
Aggregation assessment (Linford & Co method)
EQCR trigger linked to ISQM 2 A25–A27
+
Bridge Letter — PDF
A clean management representation letter covering the gap period between your ISAE 3402 report date and the user entity's year-end. Gap acceptability table, CUEC section, subservice org coverage, and user auditor guidance.
Gap acceptability: 0–3 / 3–6 / 6+ months guidance
Carve-out vs. inclusive method handled
Executive-only signature requirement explained
ISA 402 user auditor reliance guidance
∞
CUEC Register
Three pre-populated Complementary User Entity Controls matching the three example controls, with user entity testing responsibilities and expected evidence defined. Ready to expand for your engagement.
Assumed in design vs. additional CUECs distinguished
User entity testing responsibility documented
Evidence expected from user entities
Prior period status tracked
Why it survives review
Built around what regulators actually check.
Golden thread
Every tab cross-references every other tab. Risk ID in the Risk Assessment links to the Control Matrix. Control ID in the Control Matrix links to the Testing Protocol. The Testing Protocol links to the Gap Analysis. A partner or reviewer can trace from identified risk to opinion conclusion in a single pass — the most common structural question in partner reviews, answered before it's asked.
IPE identification
The #1 PCAOB 2024 deficiency area. Any control relying on a system-generated output gets an IPE flag. The file prompts completeness and accuracy testing separately, with the exact question the PCAOB asks: did you test that the report contained all items it should, and that those items were correctly stated? AT-C 205.36 referenced throughout.
Key/Non-Key rationale
The judgment is documented in writing, before the review. The amber K/NK column requires a written rationale covering: what risk this addresses, whether any compensating control exists, and what would happen if this control failed. The AFM and PCAOB both flag vague K/NK classification — the rationale column removes the ambiguity.
Sampling references
Corrected paragraph references that most files get wrong. ISAE 3402 sampling guidance is in Para. 24–29 and A28–A36. Not A47–A54 — those cover modified opinions. A callout in the Testing Protocol explains the correction. The sample size table is cross-referenced to ISA 530 applied by analogy via ISAE 3000.
Deviation reporting
Per Para. A18, deviations appear in test results even when mitigated. The file documents this explicitly: compensating controls reduce severity — they do not erase the exception. This distinction matters at partner review and in regulatory inspection. The Gap Analysis nine-item checklist enforces it.
Aggregation
Individual Low or Medium findings can combine to a qualification-level finding. The Gap Analysis includes a dedicated aggregation summary section that must be completed before partner sign-off. The Linford & Co aggregation framework is embedded. An EQCR trigger links directly to ISQM 2 A25–A27.
The calculation
The alternative is more expensive than you think.
Your buyer's internal calculation isn't €249 versus a free template.
It's €249 versus the cost of building this themselves — or the cost of a finding.
€4,000
Build it yourself
30–40 hours × €80–150/hour billing rate. Before the engagement starts. Under deadline pressure. With no reference point for what defensible looks like.
€375/hr
External consultant review
€250–500 per hour for a specialist to review your workpapers. One session to identify the IPE gaps, the K/NK rationale issues, the sampling spread problem.
€249
This template pack
One-time. Instant download. Built around the exact deficiency patterns the AFM and PCAOB have documented. Ready to use in the next engagement.
Most mid-tier firm managers have petty cash budgets bigger than €249.
This is not a decision — it is professional insurance at the price of a dinner with a client.
One AFM finding costs more in remediation and reputation than this template will ever cost.
Ready to use today
ISAE 3402 Audit Template Pack
€249
One-time payment · VAT included · Instant download
30-day money-back guarantee · Secure checkout via Gumroad
Common questions
Questions
Who is this for?
Senior associates and managers at mid-tier audit firms — BDO, Grant Thornton, Mazars, Baker Tilly, and national practices — who are running ISAE 3402 or SOC 1 engagements and need a defensible file structure without building one from scratch. Not for staff at firms that already have proprietary templates; not for practitioners who've never opened the standard.
How long does it take to set up?
10–15 minutes to input your service organization's name, audit period, and engagement type across the tabs. The example rows and judgment prompts are already populated — you're adapting a working file, not filling a blank one.
Is this up to date with current standards?
Yes. References include ISAE 3402 (current), ISA 530 applied by analogy, AT-C 205.36 for IPE, ISQM 2 for EQR triggers, ISA 402 for the bridge letter, and AFM and PCAOB findings through 2025 including the 2024 PCAOB Staff Alert on IPE deficiencies.
Does this work for SOC 1 engagements?
Yes. The control matrix, testing protocol, and gap analysis translate directly — the structural requirements under SSAE 18 (the US equivalent) are substantively the same. The bridge letter explicitly covers ISAE 3402 / SSAE 18. Where US-specific references are relevant (AT-C 205) they're included.
Can I use this at my firm?
Yes, for your own engagements. The license covers use across your client engagements. It doesn't cover redistribution or resale as a firm-wide licensed template — contact ciferi.com if you need firm licensing.
What if the standards change?
You get free updates. When ISAE 3402 is revised or when new AFM/PCAOB guidance materially affects the deficiency patterns in the file, the template is updated and existing buyers get the new version at no charge.