HomeCompliance › ISAE 3402

ISAE 3402 / SOC 1 compliance software for service organisations.

A maintained system description, control-objective register, evidence captured continuously through the Type II period, CUEC tracking and a subservice-organisation register the audit team can walk straight through. Built for the outsourced operations financial-services customers depend on.

Open the portal See pricing

What is ISAE 3402 / SOC 1?

ISAE 3402 (issued by IAASB) and SOC 1 (issued under SSAE 18 by AICPA) are the two equivalent standards for service-organisation reporting on controls relevant to a user entity's internal control over financial reporting (ICFR). They are the report your financial-services customers ask for when your service is in the path of how they close their books.

Who needs to comply

  • Outsourced payroll, billing and collections providers
  • Custodians, fund administrators, transfer agents
  • Cloud-hosted ERP and accounting platforms
  • BPO providers handling financial transactions for their customers

Key ISAE 3402 controls covered by Dazr

System descriptionSection III description maintained centrally and reviewed before each period close.
Control objectives & activitiesControl-objective register with the activities that operate each objective.
Change & release managementDocumented process, segregation, emergency-change path with post-hoc review.
JML and access certificationQuarterly access recert, JML SLA enforced, evidence stored centrally.
Backup and incidentAnnual restore test + incident-process evidence captured continuously.
CUECs and subserviceSection IV CUEC list + subservice register with treatment per provider.

What auditors look for

The audit team will spend most of their time on contemporaneous evidence - did the JML happen on time, did the change have an approver distinct from the implementer, did the backup get restored, did the incident get an RCA. Dazr's append-only activity log gives you exactly that, automatically.

How Dazr helps with ISAE 3402

  • Maintain the system description and the control-objective register in one place
  • Capture evidence continuously through the Type II period
  • Track CUECs and subservice organisations as first-class objects
  • Run ISAE 3402 alongside SOC 2 and ISO 27001 for evidence reuse
  • Hand the audit team a read-only view or a single-PDF audit trail

Back to the full Dazr Compliance overview › | Sign up free ›

ISAE 3402 questions, answered.

What is the difference between ISAE 3402 and SOC 1?

Same controls and same intent - reporting by a service organisation on controls relevant to a user entity's internal control over financial reporting. ISAE 3402 is the international standard (IAASB); SOC 1 is the US framing (AICPA, SSAE 18). Most reports we see in Europe are issued as ISAE 3402 with a SOC 1 cross-reference.

Type I or Type II?

Type I covers design at a point in time. Type II covers design plus operating effectiveness across a period (typically 6 or 12 months). Dazr's append-only activity log gives you the contemporaneous evidence Type II requires.

How does ISAE 3402 differ from SOC 2?

ISAE 3402 / SOC 1 is about controls relevant to financial reporting. SOC 2 is about the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). Many service organisations issue both.

Where is data hosted?

European Union only. AES-256-GCM at rest.

Ready to start your ISAE 3402 program?

Free for one user. Pro €29/mo and Enterprise €299/mo are self-serve via Mollie. Custom (from €800/mo) is the only tier on a contract.

Open the portal All frameworks