What is ISAE 3402? A complete guide for service organizations

IT-audit6 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

ISAE 3402 (International Standard on Assurance Engagements 3402) is an international assurance standard for reporting on controls at service organizations. If your organization provides services that affect the financial reporting of your clients, ISAE 3402 is likely relevant to you.

The standard was developed by the International Auditing and Assurance Standards Board (IAASB) and is the international equivalent of the American SSAE 18 / SOC 1 standard. It is widely used in Europe and other international markets.

Who needs ISAE 3402?

Any organization that processes, stores or manages data or transactions on behalf of clients where those services are relevant to the clients' financial statements. Common examples include payroll processors, hosting providers handling financial applications, pension administrators, payment service providers, and IT managed service providers.

Type I vs Type II

Like SOC 2, ISAE 3402 comes in two types. Type I reports on the design of controls at a specific date. Type II reports on both design and operating effectiveness over a minimum period of six months. Most clients and their auditors require Type II because it provides evidence that controls worked consistently over time.

The audit process

An ISAE 3402 audit involves several phases. First, scoping: determining which services and controls are in scope. Second, control documentation: describing the control environment, control objectives and specific controls. Third, testing: the auditor tests whether controls are designed effectively (Type I) and operated effectively (Type II). Finally, reporting: the auditor issues an opinion on whether your controls meet the stated objectives.

Why it matters

For many service organizations, an ISAE 3402 report is a market requirement. Your clients' auditors need assurance about the controls you operate on their behalf. Without an ISAE 3402 report, those auditors may need to perform their own testing at your organization, which is disruptive and inefficient for everyone involved.

We have extensive experience in ISAE 3402 audits across industries. Whether you are preparing for your first report or looking to optimize your existing audit, we can help. Contact us for a consultation.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

More articles

IT-audit

SOC 2 Type 1 vs Type 2: what is the difference?

SOC 2 Type 1 and Type 2 reports serve different purposes. Understand the key differences to choose the right report for your organization.

By Kees van der Vlies
IT-audit

Continuous auditing: real-time assurance for modern organizations

Traditional audits look back. Continuous auditing looks forward. Learn how real-time monitoring and automated testing are transforming IT audit.

By Kees van der Vlies
IT-audit

SOC 2 report explained: everything you need to know

SOC 2 is an essential audit report for service organizations. Learn what a SOC 2 report entails and why it matters for your business.

By Kees van der Vlies

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us