← Frameworks / Assurance Standard

ISAE 3402 Assurance Reports on Controls at a Service Organisation

International assurance engagement standard for reporting on controls at service organisations relevant to user entities' financial reporting. Defines Type I (design suitability) and Type II (design and operating effectiveness) report structures covering management assertions, control objectives, control activities, subservice organisation management, and complementary user entity controls (CUECs). Widely used by cloud providers, data centres, payment processors, and outsourcing firms. Equivalent to SSAE 18 / SOC 1 in the US.

Clauses: 10

Avg Coverage: 42.5%

Publisher: IAASB (International Auditing and Assurance Standards Board) Version: 2011 (revised 2022)

ISAE 3402 → SP 800-53 SP 800-53 → ISAE 3402 Coverage Analysis

Clause	Title	SP 800-53 Controls
Clause 1	Scope and Objectives	PL-01 PL-02 PM-01 PM-05 PM-09 PM-11 CA-01 CA-06 RA-01 RA-02 RA-03
Clause 2	Management Assertion	PL-02 PL-04 PM-01 PM-09 CA-02 CA-05 CA-06 CA-07
Clause 3	Control Objectives	PM-01 PM-09 PM-11 PL-02 CA-01 CA-02 CA-06 RA-01 RA-02 RA-03 RA-09
Clause 4	Control Activities	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-17 AU-01 AU-02 AU-03 AU-06 AU-12 CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CP-01 CP-02 CP-09 CP-10 IA-01 IA-02 IA-04 IA-05 PE-01 PE-02 PE-03 PE-06 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 SA-03 SA-10 SA-11 SC-07 SC-08 SC-12 SC-13 SC-28 SI-02 SI-03 SI-04 SI-07 SI-10 SI-12
Clause 5	Type I vs Type II Reports	CA-02 CA-05 CA-07 PM-06 PM-14
Clause 6	Service Auditor Responsibilities	CA-02 CA-04 CA-07 CA-08 AU-06 AU-16 PM-06
Clause 7	Subservice Organisation Management	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06 CA-03 PM-30 AC-20
Clause 8	Complementary User Entity Controls (CUECs)	PL-02 SA-09 CA-03 AC-20 AC-21 PM-09 SR-01 SR-07
Clause 9	Description Criteria	PL-02 PL-08 PM-05 PM-07 CM-02 CM-08 CM-12 CM-13 SA-05 SA-17 PS-01 PS-02
Clause 10	Reporting and Communication	CA-02 CA-05 CA-07 AU-06 AU-07 PM-06 IR-06 IR-07