Question 1

What is ISAE 3402?

Accepted Answer

ISAE 3402 is an international assurance standard for reports on controls at service organisations that are relevant to user entities' financial reporting.

Question 2

What is ISAE 3000?

Accepted Answer

ISAE 3000 is a broader assurance standard covering assurance engagements other than audits or reviews of historical financial information, often used for non-financial subject matter such as cybersecurity, privacy or ESG controls.

Question 3

Who uses ISAE reports?

Accepted Answer

User entities and their auditors rely on ISAE reports to understand and evaluate the controls at service organisations that affect their own control environment or assurance needs.

Question 4

What is the difference between Type 1 and Type 2?

Accepted Answer

A Type 1 report addresses the fairness of the description and the suitability of the design of controls at a specific date. A Type 2 report additionally addresses the operating effectiveness of controls over a period.

Question 5

What is a carve-out?

Accepted Answer

A carve-out is a method of presenting subservice organisations in the report where their controls are excluded from the description and testing, but their nature and interaction are disclosed.

Question 6

What are complementary user entity controls?

Accepted Answer

CUECs are controls that user entities must implement to achieve the control objectives described in the service organisation's report.

Question 7

How does ISAE 3402 relate to SOC 1?

Accepted Answer

SOC 1 is a US AICPA engagement that addresses similar subject matter using SSAE 18 AT-C 320. SOC 1 and ISAE 3402 reports are broadly aligned and often combined into a single report.

Question 8

How does ISAE 3000 relate to SOC 2?

Accepted Answer

SOC 2 is a US AICPA engagement using the Trust Services Criteria. Equivalent engagements under ISAE 3000 are often performed in Europe, sometimes delivered jointly as SOC 2 + ISAE 3000 reports.

Question 9

How long is a typical reporting period?

Accepted Answer

Type 2 reporting periods typically cover six or twelve months, depending on the maturity of the control environment and user entity needs.

Question 10

How does Basenorm support ISAE engagements?

Accepted Answer

Basenorm centralises scope, controls, evidence, auditor requests and remediation, with automated evidence collection and mappings to SOC 2 and ISO 27001 for multi-framework reuse.

ISAE 3402 and ISAE 3000
Assurance for Service Organisations

Control Description and Scoping

Control Objectives

Assurance Scope

Report Type Selection

Type 1 and Type 2 Evidence

Auditor Collaboration and Reporting

Auditor Report

Ready for a smoother ISAE engagement?

Frequently Asked Questions

ISAE 3402 and ISAE 3000Assurance for Service Organisations