Skip to main content

ISAE 3402

Organizations increasingly outsource non-core business processes to service organizations. A Service Organization Control (SOC) report in compliance with ISAE 3402 provides assurance over outsourcing. The ISAE 3402 standard is originated due to growing demand for control over outsourced activities. The outsourced services can be Software-As-A-Service (SaaS) providers, asset managers, data centers or property managers. 


Supervisory authorities of financial institutions require institutions such as banks, pension funds and insurers to have control over outsourced processes to service organisations. Laws and regulations require these instititutions to acquire this information of their service organizations by means of a SOC report in compliance with ISAE 3402; the international standard for assurance over outsourcing. ISAE 3402 is the international successor of the US SAS70 standard since 2011. In the US, the SAS70 standard was replaced by SSAE 18 (SOC1) in 2011. By providing assurance on outsourced processes via an ISAE 3402 / SOC 1 report, insight is provided in the effectiveness of the execution of services, the security controls surrounding these services and the presence of sufficient anti-fraud measures. 


ISAE 3402

Outsourced services requires that information from a service organization is acquired to assess and address the risks associated with outsourced services. Service Organization Control (SOC) reports are internal control reports that provide this information. ISAE 3402 is the international standard for assurance on SOC reports. An ISAE 3402 typically includes the risk management framework, a description of controls and an assurance (audit) opinion of an independant auditor.

ISAE 3402 and outsourcing


ISAE 3402 is relevant for organizations providing services to other organizations, e.g. Asset Managers, Pension Service Providers, Software As A Service (SaaS)-providers, Infrastructure As A Service (IaaS)-providers, Platform As A Service (PaaS)-providers and Datacenter (Service) providers. ISAE 3402 is relevant if outsourced processes are related to financial processes. If processes relate to General IT Controls (GITC's) a SOC 2 (ISAE 3000) might be more relevant.

Service providers

ISAE 3402 is an internationally recognized auditing standard issued by the International Auditing and Assurance Standards Board (IAASB). A Service organization’s auditor's examination performed in accordance with ISAE 3402 is widely recognized, because it represents an in-depth audit of a service organization’s control objectives and control activities, which often include controls over information technology and related processes. For service organizations this improves their ability to perform outsourcing services to corporates and these corporates are more likely to trust the services provided. The scope of the examination of the external auditor includes the classes of transactions in the service organization’s operations that are significant to the user organization’s financial statements, and processes that are specifically defined by the service organization. 

Yearly cycle

Audit process

ISAE 3402 audit process

ISAE 3402 assurance report

ISAE 3402 is applicable when an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization"). A SOC1 repport ("ISAE 3402 report") allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of the auditt. ISAE 3402 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the IAASB’s standards for fieldwork, quality control, and reporting. In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach for the audit of financial statements and generally implies that the auditor doesn't perform an seperate audit on outsourced processes. A service auditor may issue two types of reports; an ISAE 3402 Type I report or an ISAE 3402 Type II report.

ISAE 3402 type I

An ISAE 3402 Type I report includes an opinion of an external auditor on the controls placed in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place. A Type I audit opinion is not sufficient for an user auditor to perform less audit procedures on outsourced services.

ISAE 3402 type II

In an ISAE 3402 Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls in a predefined period. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with the predefined processes and controls.

Risklane and ISAE 3402

Risklane is established in 2004 and advices and supports a significant number of European datacenters, SaaS providers, managed service providers, property managers and institutional investors. Organizations will experience the benefits of our in depth experience, our pragmatic- and professional approach for implementing compliance standards. Risklane prepares all ISAE 3402 reports in compliance with industry specific best practices and generally accepted compliance frameworks, sush as COSO 2013 and COBiT 5.0. These are considered as the most advanced- and professional standards in the industry and will support your customers to trust your organization.