![[interface] image of software security protocols (for a ai fintech company)](https://cdn.prod.website-files.com/69bc9c2bc7894aa4ed499bff/6a4282127fcf46e13d2c4f9b_GRC%20Governance.webp)
ISAE 3402 is an international assurance standard issued by the International Auditing and Assurance Standards Board (IAASB). It gives service organisations a formal way to obtain an independent auditor's report on their internal controls. UK financial services firms, banks, and large enterprise clients routinely ask their service providers to provide an ISAE 3402 report as part of third-party risk management and regulatory due diligence.
If your organisation provides outsourced IT services, payroll processing, fund administration, cloud hosting, or managed security services, an ISAE 3402 report is likely to be a condition of maintaining or growing your most important client relationships. This guide explains what ISAE 3402 is, how it works, and what your organisation needs to do to obtain one.
What ISAE 3402 is and why it matters for UK service organisations in 2026
The difference between ISAE 3402 Type I and Type II reports
Which types of organisation need an ISAE 3402 report
What an ISAE 3402 report contains, section by section
The step-by-step process for obtaining a report with realistic timelines
How ISAE 3402 compares to SOC 2 and which one applies to your organisation
How GRC Index supports ISAE 3402 readiness and practitioner training
ISAE 3402 stands for International Standard on Assurance Engagements 3402. It was issued by the IAASB in 2009 and replaced the earlier SAS 70 standard, which had been widely used in the US and internationally since 1992.
The standard sets out how an independent auditor assesses and reports on the internal controls of a service organisation. A service organisation, in ISAE 3402 terms, is any organisation that provides services to other organisations where those services form part of the client's own financial reporting or business processes.
The assurance report produced under ISAE 3402 gives clients confidence that their service provider has appropriate controls in place. Rather than each client conducting its own individual audit of the provider's controls, a single independently verified ISAE 3402 report serves the entire client base. This replaces hundreds of repetitive questionnaires with one authoritative document.
Service Organisation: The organisation providing outsourced services, such as a payroll bureau,
cloud hosting provider, or fund administrator. This is the entity that commissions the ISAE 3402 audit.
User Organisation: The client that relies on the service organisation's processes and controls
as part of its own operations or financial reporting.
User Auditor: The external auditor of the user organisation. They may rely on the ISAE 3402
report as formal audit evidence for the controls that have been delegated to the service provider.
Three regulatory and commercial developments are driving demand for ISAE 3402 reports across UK service organisations.
The first is DORA, the Digital Operational Resilience Act. Financial services entities operating in EU markets must demonstrate formal oversight of critical third-party providers. An ISAE 3402 Type II report is the most widely accepted form of independent control assurance for this purpose.
The second is FCA and PRA outsourcing oversight. UK financial services firms are required by the Financial Conduct Authority and the Prudential Regulation Authority to conduct thorough due diligence on outsourced service providers. Both regulators accept ISAE 3402 reports as credible, independent evidence of control design and effectiveness.
The third is enterprise procurement. Large organisations increasingly list ISAE 3402 as a qualification requirement when assessing technology and professional service providers. Without a current report, service organisations are often excluded from consideration before a commercial conversation begins.
Any service organisation whose processes or systems affect its clients' financial reporting, data integrity, or operational continuity may need an ISAE 3402 report. The following categories of service organisation are most commonly required to obtain one.
If your organisation falls into any of these categories and your clients are financial services firms, regulated businesses, or large enterprises, an ISAE 3402 report is likely to be a condition of maintaining and growing those relationships.
ISAE 3402 produces two types of report. Understanding the difference is important because clients, regulators, and auditors generally have a clear and specific preference.
A Type I report covers the design of controls at a single point in time, for example 31 March 2026. It answers one question: are the controls suitably designed to meet the stated control objectives?
The auditor reviews control documentation, policies, and system descriptions to reach their conclusion. A Type I report does not include testing of whether controls operated in practice. It is appropriate for organisations pursuing ISAE 3402 for the first time, or for clients at an early stage of due diligence. Most enterprise clients and financial regulators, however, require the stronger assurance that only a Type II report provides.
A Type II report covers both the design of controls and their operating effectiveness over a defined review period. The review period is typically six to twelve months, for example 1 April 2025 to 31 March 2026.
The auditor selects samples of evidence gathered throughout the observation period and tests whether each control operated without exception. The final report includes an opinion on both design and operation. Type II reports carry significantly more weight with clients, auditors, and regulators. They require a longer timeline and greater evidence collection than Type I, but they are the accepted standard for established service organisations.
If your organisation is obtaining ISAE 3402 for the first time, a Type I report is a reasonable
starting point to establish your control framework and demonstrate initial readiness.
However, a Type I report should be treated as a stepping stone. If your clients are UK financial
services firms, DORA-subject entities, or large enterprises, they will require a Type II report.
Plan your engagement timeline to transition to Type II as quickly as your control evidence allows.
An ISAE 3402 report follows a defined structure. Understanding each section helps service organisations prepare for the audit and helps user organisations interpret the findings.
This is a formal statement signed by the service organisation's senior management. It confirms that the System Description accurately represents the organisation's systems and processes, that the controls are suitably designed, and for Type II reports, that the controls operated effectively throughout the review period. Management's Assertion is the organisation's direct accountability statement within the report.
This is the section that clients and their auditors rely on. It contains the auditor's formal opinion on whether the controls are suitably designed (Type I and II) and, for Type II, whether they operated effectively throughout the review period. The auditor's opinion directly determines whether the report is accepted by the receiving party.
This section provides a detailed account of the service organisation's systems, processes, and control environment. It covers the services provided, the infrastructure and software used, the people responsible for running controls, and the specific control procedures in place. The System Description is prepared by management and forms the foundation against which the auditor assesses controls.
This is the core technical section. It sets out each control objective, the controls designed to meet that objective, and for Type II reports, the results of the auditor's testing of each control during the review period. Where controls operated without exception throughout the period, the auditor records a clean result. Where exceptions were identified, the auditor describes the nature and frequency of the exception and, where relevant, whether management has taken corrective action.
Management may include supplementary information within the report, such as context on the control environment, responses to identified exceptions, or forward-looking statements about planned improvements. This section is not covered by the auditor's opinion. Clients should read it alongside the auditor's report rather than in place of it.
Obtaining an ISAE 3402 report follows a structured process. The steps below apply to both Type I and Type II engagements, with the key difference that Type II requires an extended observation period before audit fieldwork can begin.
Select an IAASB-registered audit firm with ISAE 3402 experience. The auditor must be independent of the service organisation. Before any work begins, agree the scope of the engagement, the control objectives to be covered, and for Type II reports, the review period dates.
The audit firm conducts a pre-engagement review of your current controls against the agreed scope. This step identifies gaps between your existing practices and ISAE 3402 requirements before the formal audit begins. A thorough readiness assessment prevents surprises during fieldwork and reduces the risk of exceptions in the final report.
Address the weaknesses identified during the readiness assessment. This typically involves documenting controls that exist in practice but have not been formally recorded, strengthening access management procedures, formalising change management workflows, updating the System Description, and establishing evidence collection routines.
For Type II reports, controls must be observed operating in practice over the agreed review period, which is typically six to twelve months. Evidence of control operation is collected throughout this period. This is the longest phase of the process and cannot be shortened. Organisations should plan their engagement timeline with this requirement in mind.
The auditor tests controls against the stated objectives. For Type I, this involves reviewing control design documentation and the System Description. For Type II, the auditor selects samples of evidence collected during the observation period and tests each control for consistent and effective operation.
Senior management of the service organisation prepares and signs the Management Assertion, confirming the accuracy of the System Description and the suitability of controls. For Type II, management also confirms that controls operated effectively throughout the review period.
The auditor issues the final ISAE 3402 report, including the auditor's opinion, the System Description, and the control objectives and testing results. The report is then distributed to user organisations and their auditors as required by the service organisation's client commitments.
Type I, first engagement: 3 to 5 months from auditor appointment to report issuance
Type II, first engagement: 9 to 14 months (includes a minimum 6-month observation period)
Type II renewal for an established programme: 4 to 6 months once the review period closes
Readiness gap remediation adds 1 to 3 months for organisations with undocumented controls
ISAE 3402 and SOC 2 are the two most widely recognised service organisation assurance standards. They serve a similar purpose but are designed for different markets.
ISAE 3402 is issued by the IAASB and is the standard used across the UK, Europe, Asia-Pacific, and global financial services. It is the assurance framework that UK financial services firms, banks, fund managers, and regulated businesses request from their service providers. If your primary clients are in these sectors, ISAE 3402 is the correct standard to pursue.
SOC 2 is issued by the AICPA and is primarily used in North American markets. It evaluates service organisation controls against five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. It is the standard commonly required by US-headquartered enterprise technology clients and SaaS procurement teams.
The decision comes down to where your clients are based and what they require. UK financial services and regulated clients expect ISAE 3402. US enterprise technology clients expect SOC 2. Global service organisations with clients in both markets commonly hold both standards simultaneously. There is no regulatory or technical barrier to maintaining both, and many internationally operating service providers do so.
One practical point: the control preparation work for ISAE 3402 and SOC 2 overlaps significantly. Organisations that document their controls and evidence collection routines well for one standard are in a good position to pursue the other without starting from scratch.
Enterprise clients and financial services firms conduct detailed due diligence on every significant service provider. Without an ISAE 3402 report, your organisation must respond to individual questionnaires from each client, often answering the same questions in different formats across different teams. A single ISAE 3402 Type II report satisfies the due diligence requirements of multiple clients at the same time. The administrative saving is substantial, and the quality of the assurance provided is significantly higher than a self-completed questionnaire.
Under DORA, financial entities that use your services must maintain documented assurance on the controls of critical third-party providers. An ISAE 3402 Type II report provides that assurance in the format that regulators and their auditors recognise and accept. For service organisations supporting UK or EU financial services clients, obtaining ISAE 3402 directly supports your clients' own regulatory compliance.
Procurement teams at large organisations, cyber insurance underwriters, and institutional investors increasingly list ISAE 3402 as a qualification criterion. Service organisations without a current report are frequently excluded from tender processes before any commercial discussion begins. A published ISAE 3402 report removes this barrier and functions as independent, verifiable evidence of control quality during the sales process.
The readiness assessment that precedes an ISAE 3402 audit almost always surfaces weaknesses that were not visible internally. Addressing these before the formal audit reduces the risk of exceptions in the final report and improves the overall quality of the service organisation's control environment. The process of preparing for ISAE 3402 typically advances the organisation by one or two levels on the GRC maturity scale.
The GRC Index assessment evaluates your organisation's governance, risk management, compliance, resilience, and data security controls against a framework that incorporates ISAE 3402 requirements. The assessment identifies specific control gaps that would generate exceptions in an ISAE 3402 audit, giving your organisation a clear remediation plan before committing to the formal audit process.
Organisations that complete a GRC Index assessment before beginning their ISAE 3402 engagement consistently report a shorter remediation phase and fewer exceptions in the final auditor's report. An independent GRC Index score also demonstrates to prospective clients that your organisation takes assurance seriously, even before a full ISAE 3402 audit is in place.
The GRC Index Education Centre offers structured training in ISAE 3402 for practitioners, compliance managers, and internal audit professionals. The programme covers the ISAE 3402 framework in detail: System Description requirements, control objective development, evidence collection standards, auditor assessment processes, and the specific requirements of Type I and Type II reports.
Training is available for individuals preparing for a first ISAE 3402 audit, internal auditors maintaining an existing ISAE 3402 control environment, and compliance professionals advising clients on ISAE 3402 requirements.
ISAE 3402 is an international assurance standard issued by the International Auditing and Assurance Standards Board (IAASB). It provides a framework for service organisations to obtain an independent auditor's report on the design and operating effectiveness of their internal controls. The standard is widely used by IT service providers, payroll processors, fund administrators, and other organisations that handle critical processes on behalf of their clients.
A Type I report covers the design of controls at a single point in time. It confirms that controls are suitably designed but does not test whether they operated effectively over a period. A Type II report covers both design and operating effectiveness over a defined review period, typically six to twelve months. Type II reports are considered more thorough and are usually required by enterprise clients, financial regulators, and DORA-subject entities.
Any service organisation that processes transactions, manages data, or operates critical systems on behalf of its clients may need an ISAE 3402 report. Common examples include IT outsourcing providers, cloud hosting companies, payroll bureaus, fund administrators, custody banks, and managed security service providers. Enterprise clients and financial regulators routinely require ISAE 3402 reports as part of third-party risk management and due diligence.
ISAE 3402 is the international standard issued by IAASB and is required by UK and European financial services clients. SOC 2 is a US-origin standard issued by the AICPA and is commonly required by North American enterprise technology clients. The two standards share similar objectives but use different frameworks and terminology. Many global service organisations hold both standards to serve clients in different markets.
A Type I report typically takes two to four months from readiness assessment to report issuance. A Type II report requires an observation period of six to twelve months, meaning the full process takes nine to fourteen months for a first-time engagement. Organisations with well-documented controls and a completed GRC assessment typically move through the process more quickly.
ISAE 3402 covers the controls that a service organisation has in place to meet its commitments to user organisations. Control domains are defined in the System Description and typically include access management, change management, incident management, data processing controls, physical and environmental security, and business continuity. The specific scope is agreed between the service organisation and the auditor based on the services being provided.
ISAE 3402 is not a legal requirement in the UK, but it is widely expected by financial services firms, banks, and institutional clients when assessing third-party service providers. The FCA and PRA expect regulated firms to conduct thorough due diligence on outsourced providers, and an ISAE 3402 Type II report is the most commonly accepted form of independent assurance. It is also increasingly required under DORA for financial entities operating in EU markets.
Start Your ISAE 3402 Readiness Journey
The GRC Index assessment gives your organisation a structured, independent view of its current
control environment against ISAE 3402 requirements. You receive a clear picture of which controls
are already audit-ready and which gaps need to be addressed before your first engagement.
Start Your Free Assessment: https://www.grci.net/questionnaire
Contact: info@grci.net | +44 203 1264430 | 63-66 Hatton Garden, London EC1N 8LE
© 2025 GRC Index. All rights reserved.