When customers ask for an ISAE 3402 report

The trigger: financial-reporting relevance

Auditors are required to consider the controls of service organisations that are relevant to the user’s internal control over financial reporting. Where the user relies on the service materially, the user’s auditor needs evidence that the service organisation’s controls operate effectively. ISAE 3402 (or SOC 1) is the mechanism for delivering that evidence at scale.

The threshold is materiality to the user’s financial statements, not the size of the service organisation. A small SaaS providing core payroll calculation to a large enterprise will be asked for an ISAE 3402 report. A larger SaaS providing peripheral analytics may not be.

Common triggering services

• Payroll processing and hosted HR systems where pay is calculated.
• Hosted accounting platforms, especially those used for the customer’s general ledger.
• Transaction processing (payments, settlements, invoicing) where the customer’s books move based on the platform’s data.
• Fund administration, including NAV calculation, investor recordkeeping, and capital call processing.
• Claims handling for insurance carriers.
• Securities custody, transfer agency, and trust services.
• Treasury and cash management platforms.
• Outsourced financial close, consolidation, and reporting services.

Why SOC 1 is sometimes not enough

A SOC 1 report covers the same subject matter as an ISAE 3402 report and is performed under AICPA standards. European auditors often accept SOC 1, but not always. Large European institutional customers and audit firms based in Europe will sometimes specifically ask for ISAE 3402 because that is the standard their statutory auditors are trained on and reference in their workpapers.

Practical implication: if your customer base skews European or you sell into large European banks, insurers, asset managers, or audit firms, an ISAE 3402 report removes friction. A SOC 1 report can be challenged.

Timeline from first customer ask to delivery

A realistic timeline from first customer ask to a delivered Type II report is eight to fourteen months. Steps:

• Scoping and control identification: four to eight weeks. Define the system description, list the control objectives, and write the control descriptions.
• Evidence collection setup: two to six weeks. Define the evidence per control, the collection cadence, the sample populations.
• Type I (optional first step): two to four weeks for fieldwork after the as-of date. Useful if customers will accept a Type I as a stop-gap.
• Type II period: six to twelve months of evidence collection. This is the unavoidable calendar drag.
• Fieldwork: two to six weeks of auditor testing after the period ends.
• Report drafting and review: four to six weeks.
• Final report issued and shared under NDA with customers and their auditors.

What customers actually accept while you wait

Most enterprise customers will sign with a service organisation that does not yet have an ISAE 3402 report, provided there is a credible plan and a target date. Common interim artefacts: a gap assessment, a scoping letter from the planned auditor, an internal control description, and a commitment to a first Type II period start date. Many will also accept a strong ISO 27001 certification as evidence of broader control maturity while ISAE 3402 work is in progress.