AuditXYZ

Compliance Framework

International Standard on Assurance Engagements 3402

ISAE 3402 is the international standard for assurance reports on controls at service organizations. This guide covers Type 1 and Type 2 reports, the audit process, and how ISAE 3402 relates to SOC 1.

$30,000–$150,0003–9 monthsAudit Required2009 (effective 2011)
Request a ConsultationSee process
Issuing BodyInternational Auditing and Assurance Standards Board (IAASB)
First Published2009-12-15
Latest Version2009 (effective 2011)
Typical Cost$30,000–$150,000
Typical Timeline3–9 months
Audit RequiredYes
Audit FrequencyAnnual reporting is standard practice. Type 2 reports cover a minimum 6-month observation period.
Geographyglobal

ISAE 3402: Service Organization Assurance Report Guide

ISAE 3402 is the international assurance standard for reporting on controls at service organizations that are relevant to user entities' internal control over financial reporting. It is the global equivalent of the US SSAE 18 standard and provides the framework for what are commonly known as SOC 1 reports outside the United States. ISAE 3402 reports give user organizations and their auditors confidence that a service provider's controls are appropriately designed and operating effectively.

What ISAE 3402 Covers

ISAE 3402 defines requirements for the service auditor to obtain sufficient appropriate evidence to provide a reasonable assurance opinion on the service organization's description of its system and the suitability of control design (Type 1) and operating effectiveness (Type 2). The standard governs the structure and content of the report including the service organization's description, management's assertion, the auditor's report, and the description of tests and results.

Type 1 reports assess control design at a specific point in time. Type 2 reports assess both design and operating effectiveness over a defined period (minimum six months). Type 2 reports are significantly more valuable as they demonstrate that controls actually worked as designed over time.

Who Needs ISAE 3402 Reports

Service organizations whose services affect their clients' financial reporting controls should obtain ISAE 3402 reports. This includes payroll processors, hosting providers managing financial applications, payment processors, fund administrators, claims processors, and any outsourced service that affects the integrity of client financial data. In many jurisdictions, user entity auditors require ISAE 3402 reports to support their own audit opinions.

Engagement Process

The service organization defines control objectives and describes its system. Management prepares an assertion about the fairness of the description and design (and effectiveness for Type 2) of controls. The service auditor plans and executes testing, examines evidence, and issues a report with an opinion. For Type 2 engagements, the auditor tests operating effectiveness through inquiry, observation, inspection, and reperformance over the reporting period.

Cost Considerations

ISAE 3402 reports typically cost $30,000 to $150,000 depending on scope, number of controls, and report type. Type 2 reports cost approximately 40-60% more than Type 1 due to the extended testing period. Organizations should also budget for internal readiness activities including control documentation, evidence preparation, and remediation of any issues identified during testing.

Get the ISAE 3402 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

ssae-18soc-2iso-27001isae-3000

Get matched with a ISAE 3402 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

ISAE 3000
Framework
ISAE 3000 is the overarching international standard for assurance engagements on non-financial subjects. This guide covers reasonable and limited assurance, engagement types, and application to ESG and cybersecurity.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
SOC 2
Framework
SOC 2 is the leading security compliance framework for SaaS companies selling to US enterprises. This guide covers Type I vs Type II, trust service criteria, costs, and the audit process.
View
SSAE 18
Framework
SSAE 18 is the US attestation standard governing SOC 1 and SOC 2 reports. This guide covers the standard's requirements, engagement types, and what organizations should know about the SOC reporting framework.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View