ISAE 3402 - Assurance Reports on Controls at a Service Organisation
International Standard on Assurance Engagements (ISAE) 3402, issued by the International Auditing and Assurance Standards Board (IAASB), provides a framework for practitioners to issue assurance reports on controls at a service organisation. Type 1 reports describe controls and their design suitability at a point in time. Type 2 reports also include operating effectiveness testing over a period. Used globally (outside the US where SSAE 18 applies) for service organisation assurance, particularly in financial services, IT outsourcing, and cloud computing.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (20)
Assertion
| Code | Title |
|---|---|
| ISAE3402.2 | Management Written Assertion |
Communication
| Code | Title |
|---|---|
| ISAE3402.18 | Communication with Service Organisation |
| ISAE3402.20 | Bridge Letters |
Description
| Code | Title |
|---|---|
| ISAE3402.10 | Complementary User Entity Controls (CUECs) |
| ISAE3402.3 | System Description |
Design
| Code | Title |
|---|---|
| ISAE3402.5 | Control Design Assessment (Type 1 and 2) |
Distribution
| Code | Title |
|---|---|
| ISAE3402.21 | Restricted Use |
Documentation
| Code | Title |
|---|---|
| ISAE3402.16 | Documentation |
Engagement
| Code | Title |
|---|---|
| ISAE3402.1 | Engagement Acceptance |
| ISAE3402.19 | Period Covered for Type 2 |
| ISAE3402.7 | Type 1 vs Type 2 Selection |
Engagement Requirements
| Code | Title |
|---|---|
| ISAE3402-1 | Engagement Acceptance |
| ISAE3402-2 | Materiality and Risk |
| ISAE3402-3 | Evidence and Documentation |
Events
| Code | Title |
|---|---|
| ISAE3402.13 | Subsequent Events |
Management Assertion
| Code | Title |
|---|---|
| ISAE3402-7 | Management Statement |
| ISAE3402-8 | Control Objectives |
Objectives
| Code | Title |
|---|---|
| ISAE3402.4 | Control Objectives |
QC
| Code | Title |
|---|---|
| ISAE3402.17 | Quality Control |
Reliance
| Code | Title |
|---|---|
| ISAE3402.12 | Use of Internal Audit Work |
Report
| Code | Title |
|---|---|
| ISAE3402.14 | Service Auditor Report Content |
| ISAE3402.15 | Modified Opinions |
Risk
| Code | Title |
|---|---|
| ISAE3402.11 | Risk Assessment by Service Auditor |
Subservice
| Code | Title |
|---|---|
| ISAE3402.8 | Carve Out Method |
| ISAE3402.9 | Inclusive Method |
System Description
| Code | Title |
|---|---|
| ISAE3402-4 | Description of System |
| ISAE3402-5 | Fair Presentation |
| ISAE3402-6 | Complementary User Entity Controls |
Testing
| Code | Title |
|---|---|
| ISAE3402.6 | Operating Effectiveness Testing (Type 2) |
Type I Report
| Code | Title |
|---|---|
| ISAE3402-T1-1 | Design of Controls at Point in Time |
| ISAE3402-T1-2 | Service Auditor Opinion (Type I) |
Type II Report
| Code | Title |
|---|---|
| ISAE3402-T2-1 | Operating Effectiveness (Min 6 Months) |
| ISAE3402-T2-2 | Tests and Results |
| ISAE3402-T2-3 | Service Auditor Opinion (Type II) |
Your Compliance Coverage
If you comply with ISAE 3402 - Assurance Reports on Controls at a Service Organisation, you already cover:
ISO/IEC 42001:2023
6%
2 controls mapped
Compare →ISO 22301:2019
6%
2 controls mapped
Compare →ISO 13485:2016
6%
2 controls mapped
Compare →+ 13 more: ISO 31000:2018 (6%), ISO 45001:2018 (3%)
See all 16 mapped frameworks ↓Maps to 16 other frameworks
Frequently Asked Questions
What is ISAE 3402 - Assurance Reports on Controls at a Service Organisation?
ISAE 3402 - Assurance Reports on Controls at a Service Organisation is a compliance framework from International (IAASB) with 20 domains and 34 controls. International Standard on Assurance Engagements (ISAE) 3402, issued by the International Auditing and Assurance Standards Board (IAASB), provides a framework for practitioners to issue assurance reports on controls at a service organisation. Type 1 reports describe controls and their design suitability at a point in time. Type 2 reports also include operating effectiveness testing over a period. Used globally (outside the US where SSAE 18 applies) for service organisation assurance, particularly in financial services, IT outsourcing, and cloud computing. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does ISAE 3402 - Assurance Reports on Controls at a Service Organisation have?
ISAE 3402 - Assurance Reports on Controls at a Service Organisation has 34 controls organised across 20 domains. The largest domains are Engagement (3 controls), Engagement Requirements (3 controls), System Description (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does ISAE 3402 - Assurance Reports on Controls at a Service Organisation map to?
ISAE 3402 - Assurance Reports on Controls at a Service Organisation maps to 16 other compliance frameworks. The top mapping partners are ISO/IEC 42001:2023 (6% coverage), ISO 22301:2019 (6% coverage), ISO 13485:2016 (6% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with ISAE 3402 - Assurance Reports on Controls at a Service Organisation compliance?
Start your ISAE 3402 - Assurance Reports on Controls at a Service Organisation compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ISAE 3402 - Assurance Reports on Controls at a Service Organisation requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 34 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required