Most firms obtain the Type II report, stick it in section C of the file, and write “obtained and reviewed” in the WPs. That’s the tick box exercise the AFM keeps flagging. The AFM has identified deficiencies in auditors’ evaluation of service organisation reports during inspections (AFM, Sector in Beeld 2024, Accountancy en Verslaggeving, 28 November 2024).

Picture the situation. The client’s payroll runs through an external bureau. Their investment transactions clear through a third-party custodian. Their entire general ledger sits in a cloud-hosted ERP managed by a service organisation. You requested the Type II report in October, received a 200-page PDF in November, and now it’s sitting in the file with a note that says “obtained and reviewed.” The EP asks what complementary user entity controls you tested. You open the report for the first time and realise you don’t know where to find them. This happens more often than anyone admits.

To review a service organisation report under ISA 402.15 , the user auditor evaluates whether the Type II report provides sufficient evidence about control design and operating effectiveness, then tests complementary user entity controls and addresses any gap between the report period and the audit period.

Key takeaways

  • How to extract the information you actually need from a Type II report without reading all 200 pages, focusing on the sections ISA 402.15 requires you to evaluate
  • How to identify complementary user entity controls (CUECs) and test them on the user entity side
  • What to do when the report period doesn’t cover your full audit period (the bridge letter problem) and how ISA 402.12 applies
  • How to document your review so the working paper shows the judgment ISA 402 requires, not just “report obtained”

Type I versus Type II: which report you need and why

ISAE 3402 produces two report types, and the distinction drives your entire audit approach to the service organisation’s controls.

A Type I report covers design and implementation at a point in time. The service auditor evaluates whether the controls described in the report are suitably designed and have been placed in operation as of a specific date. ISAE 3402.2(b) defines this. A Type I report tells you what controls exist. It doesn’t tell you whether they worked over a period.

A Type II report covers design and implementation plus operating effectiveness over a stated period (typically six or twelve months). ISAE 3402.2(a) defines this. The service auditor tests the controls and reports exceptions. A Type II report tells you both what controls exist and whether they operated effectively during the reporting period.

For most audit engagements where the user entity relies on a service organisation for a financially significant process, you need a Type II report. ISA 402.15 requires you to evaluate whether the service auditor’s report provides sufficient appropriate evidence about the operating effectiveness of controls. A Type I report can’t satisfy this because it doesn’t test operating effectiveness. If you’re relying on controls at the service organisation to reduce your substantive testing, you need Type II evidence covering the relevant period. A Type I report is only sufficient when you plan no control reliance and are using the report solely to understand the service organisation’s processing environment.

What ISA 402 requires you to do with the report

ISA 402 doesn’t let you treat a service organisation report as a pass/fail certificate. The file should tell a story about what you evaluated and why you relied on it. Obtaining the report is step one. Reviewing it is where the audit evidence is generated.

ISA 402.15 requires the user auditor to evaluate whether the Type II report provides sufficient appropriate audit evidence about the design and operating effectiveness of the controls relevant to the user entity’s assertions. That evaluation involves four specific assessments.

First, assess whether the report covers controls relevant to your audit. A payroll service bureau’s ISAE 3402 report may cover 80 controls. Not all 80 are relevant to your client’s financial statements. Identify which control objectives in the report map to assertions you’re testing. If you’re auditing payroll expense completeness and accuracy, you need the controls over payroll calculation, deduction processing, output reporting, and data input validation. You don’t need the controls over the service organisation’s own HR onboarding process.

Second, assess the service auditor. ISA 402.16 requires you to evaluate the professional competence and independence of the service auditor. In practice, this means checking whether the service auditor is a licensed firm (registered with a recognised professional body) and whether the report states compliance with ISAE 3402 or SSAE 18. If the report references a different framework or lacks a clear assertion of independence, that’s a red flag you need to document.

Third, read the opinion. The service auditor’s opinion in a Type II report states whether the controls were operating effectively during the stated period. A qualified opinion, an “except for” qualification, or reported exceptions on specific controls require you to assess the impact on your audit. An exception on a control you’re relying on doesn’t automatically mean your audit approach fails, but it does mean you need to determine whether the exception affects the user entity’s transactions and whether compensating controls exist.

Fourth, evaluate the testing results. Section IV of a typical Type II report (the “tests of controls and results” section) lists every control objective, the test performed by the service auditor, the sample sizes used, and any exceptions. Read this section for the controls relevant to your audit. Exceptions with a stated population, sample size, number of deviations, and the nature of each deviation give you the information you need to assess whether the control operated effectively enough for your reliance purposes.

How to read a Type II report efficiently

A full Type II report for a mid-size service organisation runs 100 to 250 pages. You don’t need to read every page. You need to read five sections, and you need to read them in a specific order.

Start with Section I (the service organisation’s description of its system). Skim this for the process flow relevant to your client’s transactions. Identify the input points (where your client’s data enters the system) and the output points (what comes back to your client). This maps directly to your understanding of the service organisation’s role under ISA 402.9 .

Move to Section IV (tests of controls and results). The audit evidence lives here. For each control objective relevant to your engagement, read the control description, the test performed, the sample size, and the result. Focus on exceptions. A report with zero exceptions across all tested controls is unusual for a complex service organisation; if you see one, read more carefully rather than less.

Then read Section II (the service auditor’s opinion). Confirm it’s unqualified for the controls you care about. If it’s qualified, identify which control objectives the qualification affects.

Read Section III (the service organisation’s management assertion). This confirms that management asserts the description is fairly presented and the controls are suitably designed (and, for Type II, that the controls operated effectively). If this assertion is missing or modified, the report has a structural problem.

Finally, read Section V (complementary user entity controls). This is the section that creates work for you on the user entity side. Skip it and you’ve missed the controls the service organisation explicitly says are your client’s responsibility.

Complementary user entity controls: the section most teams skip

Every ISAE 3402 report includes a list of complementary user entity controls (CUECs). These are controls the service organisation assumes the user entity operates. The service organisation’s controls are designed on the assumption that these user-side controls function. If they don’t, the service organisation’s controls may not achieve their objectives even if they’re operating effectively on the service organisation’s side. Nobody enjoys working through a CUEC list at the end of fieldwork, but skipping it is how files get flagged.

CUECs are typically found in Section V of the report or embedded in the system description in Section I. Common examples include: restricting access to the interface used to submit data to the service organisation, reconciling output reports from the service organisation to the user entity’s own records, reviewing exception reports generated by the service organisation’s system, and authorising transactions before they are processed.

ISA 402.15 (b) requires you to evaluate whether the Type II report provides evidence about the operating effectiveness of the controls. But CUECs aren’t tested by the service auditor. They’re tested by you, on the user entity side. If a CUEC is relevant to an assertion you’re testing and you haven’t tested it, you have a gap in your evidence. The ISAE 3402 Audit Template Pack includes a CUEC extraction worksheet that maps each CUEC from the report to the relevant assertion and documents your test.

The practical approach: extract every CUEC from the report into a separate WP. Map each one to the assertion it supports. Determine which CUECs are relevant to your audit. Test those CUECs at the user entity. Document the results alongside your evaluation of the service organisation report. A finding that the user entity doesn’t operate a relevant CUEC has the same effect as finding that a control at the service organisation didn’t operate. It changes your evidence base.

When the report period doesn’t match your audit period

This is the most common practical problem with service organisation reports, and it’s the one with the most direct regulatory consequence.

Your client’s financial year ends 31 December 2024. The service organisation’s Type II report covers 1 April 2023 to 31 March 2024. You have nine months of uncovered period (April to December 2024). ISA 402.12 requires the user auditor to determine what additional audit procedures are needed to obtain sufficient appropriate audit evidence about the relevant controls during the period not covered by the report.

Four options exist, and you pick the one that fits your engagement. First, obtain a bridge letter from the service organisation confirming that no significant changes occurred to the relevant controls between the report period end and your audit period end. This is the most common approach for gaps of six months or less. Second, request an updated report with a period that covers or more closely aligns with your audit period. This works when the service organisation produces reports on a rolling basis. Third, perform your own procedures at the service organisation (rare for mid-tier engagements, but ISA 402.12 (c) permits it). Fourth, perform additional substantive procedures at the user entity to cover the gap period without relying on the service organisation’s controls.

Document which option you used and why. If you used a bridge letter, retain it in the file. If you used option four, document the link between the additional substantive procedures and the specific assertions that lost control evidence due to the gap.

Worked example: De Groot Pensioenbeheer B.V.

Scenario: De Groot Pensioenbeheer B.V. is a Dutch pension fund administrator with €320M in assets under administration, audited by a mid-tier firm. De Groot outsources investment transaction processing and custody to Vermeer Capital Services B.V. The engagement team received a Type II report from Vermeer’s service auditor (covering 1 July 2023 to 30 June 2024) for the FY2024 audit (year ending 31 December 2024).

Identify relevant control objectives

The engagement team mapped De Groot’s significant accounts (investment income, realised gains/losses, unrealised fair value movements, investment valuations) to Vermeer’s Type II report. Of the 64 control objectives in Vermeer’s report, 11 were relevant to De Groot’s financial statement assertions. These 11 covered trade execution, settlement, corporate actions processing, and position reconciliation.

Documentation note: Create a mapping table in your WP with columns for the De Groot assertion, the Vermeer control objective number, a relevant (Y/N) field, and the rationale for inclusion or exclusion. This mapping is what reviewers check first. Cross-reference to your risk assessment WP (WP ref: C.4.1).

Evaluate the service auditor

Vermeer’s report was issued by Jansen & Partners Accountants, a firm registered with the NBA (Royal Netherlands Institute of Chartered Accountants). The report stated compliance with ISAE 3402. The engagement team confirmed Jansen & Partners’ registration on the NBA public register and noted their SRA membership.

Documentation note: Record the service auditor’s name, registration body, and the standard cited. ISA 402.16 requires this evaluation. A one-line note is sufficient if no red flags exist.

Read the opinion and test results

The service auditor issued an unqualified opinion on Vermeer’s controls. In the tests of controls section, the engagement team identified two exceptions relevant to De Groot. Exception 1: for control objective 7 (trade execution authorisation), 2 of 25 sampled trades lacked pre-trade compliance confirmation. Exception 2: for control objective 11 (monthly position reconciliation), 1 of 12 monthly reconciliations was completed 8 days after the deadline.

Documentation note: For each exception, document: the control objective number, the population and sample sizes reported, the number of deviations, and your assessment of impact on De Groot’s transactions. For Exception 1, the engagement team queried Vermeer to determine whether either trade involved De Groot. Neither did. Document this confirmation with the source. For Exception 2, the late reconciliation covered August 2024, which falls within De Groot’s reporting period. The engagement team assessed whether the delay created a window for undetected pricing errors and concluded the risk was low because the reconciliation was eventually completed with no differences noted.

Extract and test CUECs

Vermeer’s report listed 8 CUECs. The engagement team identified 4 as relevant to De Groot’s assertions: (1) De Groot must authorise all trade instructions through Vermeer’s secure portal (not email or phone), (2) De Groot must reconcile Vermeer’s monthly custody statements to its own investment records, (3) De Groot must review corporate action notifications within 5 business days, and (4) De Groot must restrict portal access to authorised investment staff.

Documentation note: Test each relevant CUEC at De Groot. For CUEC 2, the engagement team inspected the December 2024 reconciliation prepared by De Groot’s investment operations team and found it completed on time with two differences investigated and resolved. Record the test, the evidence examined, and the result. Use the ISAE 3402 template pack’s CUEC worksheet to structure this.

Address the period gap

Vermeer’s report covered 1 July 2023 to 30 June 2024. De Groot’s audit period ends 31 December 2024. The gap is six months. The engagement team obtained a bridge letter from Vermeer dated 15 January 2025, signed by Vermeer’s chief operating officer, confirming no significant changes to the control environment, key personnel, or IT systems between 1 July 2024 and 31 December 2024. The engagement team also performed inquiry of De Groot’s investment director, who confirmed no service disruptions or control changes communicated by Vermeer during the gap period.

Documentation note: Retain the bridge letter in the file (WP ref: C.4.5). Document your assessment of whether the bridge letter, combined with management inquiry at De Groot, provides sufficient evidence under ISA 402.12 to extend your reliance to 31 December 2024. Note that the bridge letter is a representation, not tested evidence. On the engagements I’ve worked, a six-month gap covered by a bridge letter plus inquiry has held up with the AFM provided the engagement team documents the rationale.

The engagement team’s review conclusion was that Vermeer’s Type II report, combined with CUEC testing at De Groot and the bridge letter covering the gap period, provided sufficient appropriate evidence under ISA 402.15 to support planned control reliance for investment transaction processing and custody. The two exceptions identified did not affect the engagement team’s overall assessment because neither impacted De Groot’s transactions (Exception 1) and the late reconciliation did not result in undetected errors (Exception 2).

Practical checklist for reviewing a service organisation report

Common mistakes regulators flag

  • The AFM’s 2023 thematic review found that several audited files contained a Type II report with no documented evaluation of the report’s content. The report was obtained and filed, but the WPs contained no mapping of relevant control objectives, no assessment of exceptions, and no evaluation of CUECs. That’s ticking and bashing dressed up as reliance work. ISA 402.15 requires evaluation, not just possession.
  • The FRC’s 2022-23 inspection cycle noted that firms frequently failed to address the gap between the Type II report period and the audit period. In multiple files, the report ended six or more months before the financial year end with no bridge letter, no additional procedures, and no documented rationale for extending reliance beyond the report period.

Related content

  • Glossary: Complementary user entity controls defines CUECs under ISAE 3402 and explains the user auditor’s responsibility for testing them on the entity side.
  • ISAE 3402 Audit Template Pack includes the CUEC extraction worksheet, service organisation report review checklist, and bridge letter template used in the worked example above.
  • How to write an audit findings report covers what to do when your review of the service organisation report reveals control deficiencies that need to be communicated to governance under ISA 265.9 .

Research decision: Base knowledge sufficient. ISA 402 and ISAE 3402 are stable standards. The review procedure is evergreen methodology content. AFM and FRC references are from known inspection cycles.

Post type: Application post

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

Related ciferi content

Related guides:

ISAE 3402 Bridge Letter: Purpose and Template
What a bridge letter must contain and when it’s sufficient
ISA 402 : Audit Considerations Relating to a Service Organisation
The full ISA 402 standard guide
How to Write an Audit Findings Report Under ISA 265
Communicating deficiencies revealed by your SOC review

Put audit concepts into practice with these free tools:

Materiality Calculator
Overall, performance & trivial materiality
Sampling Calculator
MUS & classical sample sizes
Going Concern Checklist
Severity-weighted going concern indicators
Analytical Review Tool
Variance analysis with materiality thresholds

Frequently asked questions

What is the difference between a Type I and Type II ISAE 3402 report?

A Type I report covers design and implementation at a point in time, telling you what controls exist as of a specific date. A Type II report covers design, implementation, and operating effectiveness over a stated period (typically six or twelve months), with tested results and reported exceptions. For most audit engagements where the user entity relies on a service organisation for a financially significant process, you need a Type II report because ISA 402.15 requires evidence about operating effectiveness.

What does ISA 402 require the user auditor to do with a service organisation report?

ISA 402.15 requires four assessments: whether the report covers controls relevant to your audit assertions, the professional competence and independence of the service auditor under ISA 402.16 , whether the opinion is unqualified or contains exceptions affecting relied-upon controls, and the testing results for relevant control objectives, including exceptions with population, sample size, and deviations.

What are complementary user entity controls (CUECs)?

CUECs are controls the service organisation assumes the user entity operates. The service organisation’s controls are designed on the assumption that these user-side controls function. CUECs are not tested by the service auditor. They must be tested by the user auditor at the user entity. Common examples include restricting access to submission portals, reconciling output reports, and reviewing exception reports. An untested CUEC relevant to a relied-upon control is a gap in your evidence.

What should you do when the Type II report period doesn’t match your audit period?

ISA 402.12 requires additional evidence for the gap period. Four options exist: obtain a bridge letter confirming no significant changes, request an updated report, perform your own procedures at the service organisation, or perform additional substantive procedures at the user entity. On the engagements I’ve worked, a bridge letter combined with management inquiry is enough for gaps of one to six months. For gaps exceeding six months, the AFM expects more than a bridge letter alone.

What common mistakes do regulators flag when reviewing service organisation reports?

The AFM’s 2023 thematic review found files where the Type II report was obtained but contained no documented evaluation (no mapping of relevant control objectives, no assessment of exceptions, and no evaluation of CUECs). The FRC’s inspection cycle noted that firms frequently failed to address the gap between the report period and the audit period, with no bridge letter and no documented rationale for extending reliance.

Further reading and source references

  • IAASB Handbook 2024: the authoritative source for the complete ISA 402 text, including all application material on using the work of a service auditor.
  • ISAE 3402, Assurance Reports on Controls at a Service Organisation: the standard governing the service auditor’s report you’re reviewing.
  • ISA 315 (Revised 2019), Identifying and Assessing Risks of Material Misstatement: the risk assessment that determines which service organisation controls are relevant.
  • ISA 265 , Communicating Deficiencies in Internal Control: reporting deficiencies discovered during your review of service organisation controls or CUEC testing.

This guide reflects the ISA 402 and ISAE 3402 texts as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard (e.g., COS 402 in the Netherlands, ISA (UK) 402 in the UK) alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook