ISAE 3402
ISAE 3402 is the international assurance standard for reporting on controls at a service organisation. It is the SOC 1 equivalent used outside the United States, most commonly required when a service organisation processes data that affects the financial reporting of its customers.
European enterprise procurement teams ask for ISAE 3402 specifically because that is the standard their auditors test against. A SOC 1 report is not always enough. The choice between Type I and Type II matters: Type I is a snapshot of control design; Type II tests operating effectiveness across six to twelve months and is what large customers actually accept. ISAE 3402 is not on the published framework catalogue of most US-built GRC platforms.
Definitions
Practical guides
When customers ask for an ISAE 3402 report
European enterprise customers ask for an ISAE 3402 report when your service could materially affect their financial statements. Common triggers include payroll, hosted accounting, transaction processing, fund administration, claims handling, and custody services.
ISAE 3402 evidence collection: what auditors actually test
ISAE 3402 evidence breaks into three categories: walkthrough evidence (the auditor confirms the control exists), detailed testing (samples drawn from the population), and inquiry plus corroboration. The mix determines audit hours and the strength of the resulting opinion.