Securance logo

ISAE 3402 requirements: what your organisation actually needs

ISAE 3402 requirements: what your organisation actually needs

If a client or their auditor has asked you for an ISAE 3402 report, you're probably wondering where to start. What exactly does the standard require? Who needs to be involved? And how long does the whole process take? 

Good news: it's more straightforward than it sounds. Here's what you actually need to know. 

John Fl Pc9 Voc J4 unsplash

What ISAE 3402 is (and what it isn't)

 ISAE 3402 — published by the International Auditing and Assurance Standards Board (IAASB) — is an assurance standard for service organisations that handle processes affecting their clients' financial reporting. Think payroll processors, managed IT providers, cloud hosting platforms, and SaaS companies whose systems touch financial data. 

It's not a certification. You don't receive a badge or a licence to display. Instead, you commission an independent auditor to produce an assurance report that confirms your internal controls are properly designed and, in the case of a Type II report, actually working over time. 

The American equivalent — SSAE 18 / SOC 1 — covers the same territory, so if you're dealing with US-based clients, you'll often see both names crop up. 

 

The two report types and when each applies 

Every ISAE 3402 engagement results in either a Type I or a Type II report. The distinction matters, because clients and their auditors generally prefer one over the other. 

Type I assesses the design of your controls at a specific date. The auditor walks through your processes — sometimes called line controls — to confirm that the right controls exist and are designed appropriately. It's a useful starting point if you've never been through the process before. 

Type II goes further. The auditor evaluates whether those controls operated effectively over a period — at minimum six months, though most engagements run for twelve. This gives user organisations far greater assurance about how your services actually perform day-to-day. 

In practice, most clients and their auditors will ask for a Type II report. A Type I is often used as a stepping stone — you get one first, build confidence in your control environment, then move to a Type II in the next cycle. 

 

What the standard actually requires 

ISAE 3402 is intentionally flexible in its format, but three components are mandatory in every report: 

  1. A description of your internal control framework — what your organisation does, which services are in scope, and how your controls are structured 

  2. A written assertion from management — a confirmation from your organisation that the description is accurate and that controls were in place as described 

  3. The service auditor's assurance report — the independent opinion from a qualified accountant 

Beyond those three, best practice in the Netherlands and across Europe has settled on a consistent structure that includes a general organisational description, a full risk framework (typically following the COSO model), and a control matrix that maps risks to the specific controls that mitigate them. 

 

The control areas you'll need to cover 

The controls themselves must relate to your services' impact on user entities' financial reporting. In practical terms, auditors look at IT General Controls (ITGCs) and process controls across areas including: 

  • Logical access management — who has access to systems and data, how access is granted, reviewed, and revoked 

  • Change management — how changes to applications and infrastructure are documented, tested, and approved before going live 

  • IT operations and monitoring — batch processing, job scheduling, interface management between systems 

  • Physical and environmental security — data centre access, hardware controls 

  • Backup and recovery — how data is backed up, how often, and whether restoration has been tested 

  • Incident management — how security incidents are detected, reported, and resolved 

Each control area needs a documented control objective (what you're trying to achieve), the specific control activities in place, and — for a Type II report — evidence that those activities happened consistently throughout the review period. 

 

What evidence actually looks like 

This is where many organisations underestimate the work involved. The auditor won't take your word for it. You'll need to provide: 

  • System-generated logs (access logs, change tickets, job completion reports) 

  • Policy and procedure documents that are current and approved 

  • Evidence of periodic reviews (e.g., quarterly access reviews, documented and signed off) 

  • Incident reports and resolution records 

  • Backup completion records and restoration test results 

The key word is ongoing. For a Type II audit covering six or twelve months, evidence needs to exist across the entire period — not just in the weeks before the audit begins. Starting to build that evidence trail early is one of the most common pieces of advice from experienced auditors. 

 

The readiness assessment: your practical first step 

Before diving into a full audit, most service organisations benefit from a readiness assessment. This involves mapping your current controls against what the standard requires, identifying gaps, and prioritising remediation before an auditor formally arrives. 

A readiness assessment typically surfaces issues like undocumented processes, informal controls that have no evidence trail, and access management practices that haven't been reviewed in years. Fixing these ahead of the audit saves time and avoids qualified opinions in your final report. 

At Securance, we work with SaaS and tech organisations across Europe to run exactly this kind of structured preparation — helping you understand what you already have, what needs strengthening, and how to get audit-ready without unnecessary disruption to the business. 

 

Is ISAE 3402 mandatory? 

No regulation requires you to hold an ISAE 3402 report. As Buzzacott notes, obtaining one is typically driven by client or stakeholder expectations — often as a condition of winning or retaining business contracts. That said, for service organisations that handle outsourced financial processes, it's increasingly a table-stakes requirement rather than a nice-to-have. 

The commercial case is clear: rather than allowing dozens of client auditors to show up at your offices each year and assess your controls independently, a single ISAE 3402 report satisfies all of them at once. That's a significant efficiency gain for both you and your clients. 

 

How it connects to other standards 

If your organisation already holds an ISO 27001 certification or is working towards SOC 2, you're not starting from scratch. There's significant overlap in the control domains. ISO 27001 covers many of the same IT security areas that ISAE 3402 auditors examine, so your existing documentation and controls can often be reused or adapted. 

Securance's Single Audit, Multiple Standards approach is built around exactly this kind of efficiency — covering ISAE 3402, ISO 27001, SOC 2, and other frameworks in a single coordinated engagement rather than treating each as a separate workstream. 

The bottom line: ISAE 3402 isn't as complicated as it looks on paper. The requirements are clear, the process is well-established, and the commercial payoff — client confidence, audit efficiency, competitive differentiation — is real. Start with a readiness assessment, get your evidence trail in order, and the rest follows naturally. 

Back to article overview