ISAE 3402 vs SOC 2: Differences, Types and When Each Applies

If your organization provides services to enterprise clients across multiple jurisdictions, you have almost certainly encountered both ISAE 3402 and SOC 2 — sometimes in the same procurement process, sometimes as competing requirements from different parts of the same organization.

ISAE 3402 is the international assurance standard for service organizations, published by the International Auditing and Assurance Standards Board (IAASB) and adopted across Europe, Asia-Pacific, the Middle East, and most markets outside North America. SOC 2 is the AICPA-governed standard that dominates US enterprise procurement and the global B2B technology sector.

Both standards address the same fundamental question — can customers rely on a service organization’s controls? — but they answer it through different frameworks, for different audiences, in different regulatory contexts. Understanding which standard applies to your organization, and why, is the first step toward building a reporting strategy that satisfies all of your stakeholders without duplicating effort.

This guide from CertPro CPA LLC explains the key differences between ISAE 3402 and SOC 2, when each standard applies, and how multinational organizations can navigate both efficiently.

Tl; DR:

Concern: With service organization reporting requirements spanning multiple jurisdictions, multinational businesses and their auditors find it genuinely difficult to understand when ISAE 3402 applies, when SOC 2 applies, and whether holding one report satisfies the requirements of the other.
Overview: ISAE 3402 and SOC 2 are both assurance standards for service organizations, but they serve different regulatory contexts — ISAE 3402 is the international standard governed by the IAASB and used primarily outside the United States, while SOC 2 is the AICPA-governed standard that dominates the US market and B2B technology sector globally.
Solution: Organizations operating across borders should understand the structural differences between ISAE 3402 and SOC 2, which standard their customers and regulators actually require, and when pursuing both — or a bridge report — is the most efficient path to satisfying all stakeholder requirements simultaneously.

ISAE 3402 vs SOC 2: Differences, Types and When Each Applies

ISAE 3402 and SOC 2 are both internationally recognized assurance standards for service organizations. Both result in independent assurance reports issued by qualified practitioners. Both address the design and operating effectiveness of controls at service organizations. But they are governed by different standard-setting bodies, used in different markets, and structured in ways that create meaningful differences for organizations deciding which to pursue — and for buyers deciding what to require.

What is ISAE 3402?

ISAE 3402 — International Standard on Assurance Engagements 3402 — is the international standard for assurance reports on controls at a service organization. It is published by the International Auditing and Assurance Standards Board (IAASB), the global body responsible for setting international auditing and assurance standards, and adopted by professional accounting bodies across more than 130 countries.

ISAE 3402 replaced the earlier SAS 70 standard in 2011 and is designed to provide user entities — the customers of service organizations — and their auditors with information about the controls at a service organization that are relevant to the user entities’ internal control over financial reporting.

ISAE 3402 is specifically focused on controls relevant to financial reporting. It is the standard that financial statement auditors rely on when a client has outsourced processes that affect their financial statements — payroll processing, claims administration, fund accounting, transaction processing, and similar services.

What is SOC 2?

SOC 2 is the security attestation framework developed by the AICPA that evaluates whether a service organization’s controls over security, availability, confidentiality, processing integrity, and privacy meet the Trust Services Criteria. Unlike ISAE 3402, SOC 2 is not focused on financial reporting controls — it is focused on the security and operational controls that protect customer data and ensure reliable service delivery.

SOC 2 is governed by AICPA AT-C Section 205 and is the dominant service organization reporting standard in the US enterprise technology market. For a full explanation of what SOC 2 is and how it works, see What is SOC 2?

ISAE 3402 vs SOC 2 — Key Differences

The table below summarizes the key structural differences between ISAE 3402 and SOC 2:

ISAE 3402 Type 1 vs Type 2

Like SOC 2, ISAE 3402 comes in two report types — and the distinction follows the same logic.

ISAE 3402 Type 1 — evaluates whether controls are suitably designed to achieve the stated control objectives as of a specified date. It is a point-in-time assessment of control design, not operational effectiveness.

ISAE 3402 Type 2 — evaluates whether controls are suitably designed and operated effectively throughout a defined period — typically six to twelve months. It is the standard that financial statement auditors and enterprise clients require for ongoing reliance on a service organization’s controls.

The parallel with SOC 2 Type 1 and Type 2 is direct — both standards use the same Type 1 / Type 2 structure to distinguish between point-in-time design assessments and period-based operational effectiveness examinations.

What is the Difference Between ISAE 3402 and SSAE 18?

This question arises frequently for organizations operating in both US and international markets.

SSAE 18 (Statements on Standards for Attestation Engagements No. 18) is the US standard published by the AICPA that governs SOC 1 reports — the US equivalent of ISAE 3402 for financial reporting controls. SSAE 18 replaced the earlier SSAE 16 standard in 2017.

The relationship is:

ISAE 3402 = international standard for financial reporting controls at service organizations.

SSAE 18 / SOC 1 = US standard for financial reporting controls at service organizations.

SOC 2 = US standard for security and operational controls at service organizations (no direct international equivalent).

For a full breakdown of how SOC 1, SOC 2, and SOC 3 differ, see SOC 1 vs SOC 2 vs SOC 3.

When Does ISAE 3402 Apply?

ISAE 3402 applies when a service organization provides services to customers whose financial statement auditors need assurance over controls that affect the customers’ financial reporting. The clearest indicators that ISAE 3402 is the right standard:

Your customers are in jurisdictions that use IFRS or ISA-based auditing standards — most of Europe, Asia-Pacific, the Middle East, and Latin America. In these markets, financial statement auditors work under International Standards on Auditing (ISA) and will look for ISAE 3402 reports when relying on service organization controls.

The service you provide directly affects your customers’ financial statements — payroll processing, fund accounting, claims processing, transaction processing, custody services, or any service where errors in your processing could cause material misstatement in your customers’ financial reports.

Your enterprise customers’ finance or audit teams are requesting it — ISAE 3402 requests typically come from customers’ internal audit functions, external auditors, or finance teams — not from procurement or security teams, which is where SOC 2 requests originate.

When Does SOC 2 Apply?

SOC 2 applies when a service organization needs to demonstrate the security and operational integrity of its systems to enterprise buyers, regulated-sector customers, or institutional partners — primarily in the US market and the global B2B technology sector. The clearest indicators that SOC 2 is the right standard:

Your customers are US-based enterprises — US enterprise procurement teams, security teams, and regulated-sector buyers (healthcare, financial services, government) require SOC 2 as their standard vendor security credential.

You are a SaaS company, cloud provider, or technology service organization — SOC 2 has become the default security attestation for B2B technology companies regardless of geography. Even non-US technology companies selling into the US market or to global enterprises with US procurement standards need SOC 2.

Your customers’ procurement or security teams are requesting it — SOC 2 requests come from vendor security questionnaire processes, enterprise procurement requirements, and regulated-sector onboarding processes. For more on why SOC 2 matters commercially, see Why is SOC 2 Important?

Can ISAE 3402 and SOC 2 Be Combined?

Yes — and for multinational service organizations with customers across both US and international markets, combining ISAE 3402 and SOC 2 into a single coordinated engagement is often the most efficient approach.

The ISAE 3402 / SOC 2 bridge report is a single report that satisfies the requirements of both standards simultaneously. It is structured to meet the IAASB’s ISAE 3402 requirements and the AICPA’s SOC 2 requirements, allowing the service organization to share one report with both international financial statement auditors and US enterprise security teams.

This approach works when:

The service organization’s controls are relevant to both financial reporting (ISAE 3402 scope) and security/operational criteria (SOC 2 scope).

The service organization has customer bases in both US and international markets.

Efficiency is a priority — a single coordinated engagement is less costly and less disruptive than two separate examinations.

CertPro CPA LLC advises clients on the most efficient reporting structure for their specific customer mix and market requirements during the audit scoping phase of every engagement.

Which Standard Do Your Customers Actually Require?

The most practical question for any service organization evaluating ISAE 3402 vs SOC 2 is not which standard is more rigorous or more internationally recognized — it is which standard your customers are actually asking for.

If your customers are asking for a SOC 2 report — pursue SOC 2. The request is coming from their procurement or security teams, and a SOC 2 report issued by CertPro CPA LLC under AICPA standards is what they need.

If your customers’ auditors are asking for an ISAE 3402 report — pursue ISAE 3402. The request is coming from their financial statement audit process, and the report needs to address controls relevant to their financial reporting.

If both groups are asking — consider a bridge report that satisfies both standards in a single engagement, or pursue both reports on a coordinated timeline that minimizes duplication of effort.

If you are unsure which standard applies — the answer is almost always in the language of the request. “Security attestation,” “vendor security review,” or “SOC 2” language points to SOC 2. “Service auditor’s report,” “ISAE 3402,” or requests from a customer’s external auditor point to ISAE 3402.

How CertPro CPA LLC Handles ISAE 3402 and SOC 2 Engagements

CertPro CPA LLC is a licensed CPA firm that conducts SOC 2 examinations under AICPA AT-C Section 205 and advises clients on the full landscape of service organization reporting — including ISAE 3402, SOC 1, and bridge report structures for multinational organizations.

Our scoping process begins with understanding your customer mix, your service delivery model, and your stakeholder requirements — so that the reporting structure we recommend satisfies all of your obligations without unnecessary duplication of effort or cost.

Explore the full SOC 2 hub for detailed guidance on every aspect of the SOC 2 process.

Ready to begin? Contact CertPro CPA LLC to discuss your service organization reporting requirements.

FAQ