ISAE 3402
Also known as: International Standard on Assurance Engagements 3402, ISAE 3402 report
ISAE 3402 is the international assurance standard for reporting on controls at a service organisation. It is the SOC 1 equivalent used outside the United States, most commonly required when a service organisation processes data that affects the financial reporting of its customers.
What ISAE 3402 covers
ISAE 3402 was issued by the International Auditing and Assurance Standards Board (IAASB). It is used by service auditors to report on the controls a service organisation has in place over services that are relevant to the user organisation’s internal control over financial reporting.
Typical use cases include payroll processing, hosted accounting systems, transaction processing, fund administration, claims handling, and custody services. If the service materially affects how the user organisation reports its financials, the user’s auditor will ask for an ISAE 3402 report.
ISAE 3402 vs SOC 1
ISAE 3402 and SOC 1 cover the same ground (controls at a service organisation relevant to financial reporting), but they are issued under different professional standards. SOC 1 is the American Institute of Certified Public Accountants (AICPA) variant, used in the United States. ISAE 3402 is the international variant, used in Europe and most other markets.
In Europe, ISAE 3402 is what enterprise procurement asks for in place of SOC 1. A SOC 1 report is not always enough. Large European customers and their auditors specifically request ISAE 3402 because that is the standard their auditors test against.
The two report types
ISAE 3402 reports come in two variants. A Type I report describes the design of controls at a point in time. A Type II report tests their operating effectiveness over a period (typically six to twelve months). Type II is what most large customers require for ongoing assurance.