ISAE 3402 Training

Master ISAE 3402 — the IAASB international assurance standard for service organisation controls. CPD-certified practitioner training covering Type I and Type II reporting, control design, and audit readiness for UK and European service organisations.

CPD-Certified · Practitioner Level · ISAE 3402 Specialist · International Standard · Online

Start Your AssessmentSee How It Works

What Is ISAE 3402 Training?

ISAE 3402 training is specialist professional development in IAASB International Standard on Assurance Engagements 3402 — the international standard for assurance reports on service organisation controls over financial reporting. It covers Type I and Type II reporting, control objectives, audit evidence, and ISAE 3402 engagement readiness. ISAE 3402 is the international equivalent of SOC 1 (SSAE 18).

ISAE 3402 is the international assurance standard that service organisations use to demonstrate the effectiveness of their internal controls to their clients' auditors. For outsourcing providers, financial services platforms, cloud infrastructure companies, and any service organisation whose controls affect a client's financial reporting, ISAE 3402 is a business requirement.

This CPD-certified practitioner course gives UK auditors, service organisation management, and compliance professionals the technical knowledge to design, document, test, and report on ISAE 3402-compliant controls — whether preparing for an engagement, managing an existing programme, or advising client service organisations.

ISAE 3402 Course Curriculum

The ISAE 3402 practitioner curriculum takes you from foundational concepts through to audit readiness:

The ISAE 3402 Standard

  • History: from SAS 70 to SSAE 18 to ISAE 3402
  • IAASB standard requirements and scope
  • ISAE 3402 vs SOC 1 (SSAE 18): key differences
  • Who must obtain an ISAE 3402 report and why

Report Types

  • Type I reports: design suitability assessments
  • Type II reports: operating effectiveness testing periods
  • Inclusive vs carve-out reporting models
  • Sub-service organisations: complementary controls and user entity considerations

Control Framework Design

  • Defining control objectives aligned to user entity needs
  • Mapping risks to controls: completeness and accuracy assertions
  • Control design principles: preventive, detective, and corrective
  • Documenting control descriptions for auditor review

Testing and Evidence

  • Auditor testing approaches: inquiry, observation, inspection, re-performance
  • Sample sizes, population definition, and deviation thresholds
  • Evidence standards: what auditors look for
  • Managing exceptions, deviations, and remediation evidence

Audit Readiness

  • ISAE 3402 readiness assessments: gap analysis methodology
  • Remediation planning: prioritising control gaps by risk
  • Working with external auditors: scope agreements and management letters
  • Post-engagement: addressing auditor findings and continuous improvement
GRC Essentials Training
ISAE 3402 Training
SOC 1 Training
SOC 2 Training
ISAE 3000 Training
ISO 27001 Training
GRC Advanced / DORA & NIS2 Training
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

What You Will Learn: ISAE 3402 Modules

The ISAE 3402 practitioner course is structured across six modules covering the complete assurance engagement lifecycle:

Module

What You Will Learn

Module 1: ISAE 3402 Foundations
Understand ISAE 3402 purpose, scope, and relationship to SOC 1 (SSAE 18). Covers the IAASB standard, who needs ISAE 3402, and the UK and European regulatory context for service organisation assurance.
Module 2: Type I vs Type II Reporting
Master the distinctions between Type I (design suitability) and Type II (operating effectiveness) reports — scope, testing requirements, report structure, and use-case differences.
Module 3: Control Objectives & Control Design
Define appropriate control objectives. Design controls addressing financial reporting risks, carve-out vs inclusive reporting models, and sub-service organisation considerations.
Module 4: Evidence Collection & Testing
Understand auditor testing requirements, evidence standards, population sampling, exception handling, and how to manage the fieldwork phase of an ISAE 3402 engagement.
Module 5: Assurance Report Structure
Read, interpret, and draft ISAE 3402 assurance reports — management assertion, auditor opinion, description of the system, and how control deviations are reported.
Module 6: Audit Readiness & Programme Management
Prepare for an ISAE 3402 engagement — readiness assessments, gap analysis, remediation planning, and working with external auditors.

Why Choose GRC Index for ISAE 3402 Training?

GRC Index offers the most practice-oriented ISAE 3402 training in the UK, developed by practitioners who have managed live ISAE 3402 engagements for service organisations across financial services, technology, and professional services. Unlike informational websites that describe ISAE 3402 concepts, GRC Index training teaches you what to do — how to design control objectives, what evidence auditors require, how to read an assurance report, and how to prepare your organisation for a Type II engagement.

Advantage

Detail

ISAE 3402 Specialist Depth
Dedicated ISAE 3402 practitioner content — not a paragraph in a generic GRC course
UK & European Focus
UK and EU service organisation context — outsourcing, financial services, and technology sector examples
Linked to GRC Assessment
ISAE 3402 controls map directly to GRC Index Compliance and Governance domain scores
CPD-Certified — 12 Hours
Counts towards ACCA, ICAEW, IIA, ISACA, and other professional body CPD requirements
Audit Readiness Orientation
Practical focus on what auditors look for — not just theoretical standard interpretation

Who Should Take ISAE 3402 Training?

ISAE 3402 training is specialist content for professionals working with service organisation controls:

Professional Role

Why This Course Matters

Internal Auditors at Service Organisations
Manage evidence collection, coordinate with external auditors, and lead remediation programmes
Service Organisation Management
Understand management assertion obligations, control design responsibilities, and programme governance
External Auditors & Assurance Professionals
Develop ISAE 3402 technical competency — testing standards, reporting requirements, and opinion formation
Financial Services & Outsourcing Professionals
Outsourcing providers, fund administrators, transfer agents, and fintech platforms subject to ISAE 3402 client requirements
IT Governance & Cloud Providers
Technology service providers whose controls are included in client ISAE 3402 engagements
Compliance & Risk Officers
Understand ISAE 3402 obligations as part of a broader GRC and vendor management programme

Frequently Asked Questions: ISAE 3402 Training

What is ISAE 3402 training?

+

ISAE 3402 training is specialist professional development in the IAASB International Standard on Assurance Engagements 3402 — the international equivalent of SOC 1 (SSAE 18). It covers Type I and Type II reporting, control objectives, audit evidence collection, assurance report structure, and audit readiness for service organisations and their auditors.

What is the difference between ISAE 3402 and SOC 1?

+

ISAE 3402 and SOC 1 (SSAE 18) serve the same purpose — assurance on service organisation controls over financial reporting — but apply different standards. ISAE 3402 is the international IAASB standard used in the UK and Europe. SOC 1 (SSAE 18) is the US AICPA standard. GRC Index offers separate dedicated training for each standard.

What is the difference between ISAE 3402 Type I and Type II?

+

An ISAE 3402 Type I report confirms controls are suitably designed as at a specific date. A Type II report confirms controls operated effectively over a period (typically 6–12 months). Type II reports provide stronger assurance and are required by most enterprise clients. Our training covers both report types in detail.

Who needs ISAE 3402 training?

+

ISAE 3402 training is essential for internal auditors and compliance professionals at service organisations, external auditors conducting ISAE 3402 engagements, and service organisation management responsible for the management assertion. It is particularly relevant for financial services, outsourcing providers, fund administrators, and technology platforms serving European and international clients.

How long does ISAE 3402 training take?

+

The GRC Index ISAE 3402 practitioner course is 12–14 hours. Available as self-paced or instructor-led cohort delivery. Most professionals complete it over 2–4 days.

Does ISAE 3402 training count as CPD?

+

Yes. GRC Index ISAE 3402 training is CPD-certified and awards 12 CPD hours upon completion. Recognised for IIA, ACCA, ICAEW, ISACA, and CISI professional body CPD requirements.

GRC Essentials Training
ISAE 3402 Training
SOC 1 Training
SOC 2 Training
ISAE 3000 Training
ISO 27001 Training
GRC Advanced / DORA & NIS2 Training
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Quick Links

HomeAbout UsHow It WorksStart AssessmentContact

Contact Us

info@grci.net

(+44) 203 1264430

63-66 Hatton Garden, EC1N 8LE London, UK.

Start Your Assessment

© 2025 GRC Index. All rights reserved.