ISAE 3402 gap analysis: from deviation to opinion in four worked examples

Your testing is complete. Three of eleven controls have deviations. One looks serious. You need to determine whether the opinion is clean, qualified, or adverse. The gap between "deviation found" and "opinion impact determined" is where most ISAE 3402 files fall apart. In our experience, this is also where the file should tell a story but usually does not.

Under ISAE 3402.53 to 55, the service auditor must evaluate whether deviations (individually or in aggregate) prevent one or more control objectives from being achieved, and if so, whether a qualified or adverse opinion is required. A structured gap analysis with severity assessment, compensating control evaluation, and aggregation determines the path from each deviation to the final opinion.

What the gap analysis must accomplish

A gap analysis entry exists for every deviation identified during testing. Its purpose is not to describe the deviation (that lives in the testing protocol). Its purpose is to evaluate the deviation's impact on the control objective and on the service auditor's opinion.

The evaluation chain has four stages. First, what is the severity of this deviation? Second, does a compensating control mitigate the unaddressed risk? Third, does this deviation combine with other deviations to create a more significant deficiency? Fourth, does the conclusion require opinion modification?

ISAE 3402 does not prescribe a severity framework. Paragraphs 53 to 55 describe the conditions for qualification and adverse opinions but leave the assessment methodology to the service auditor's judgment. The gap analysis tab in the ISAE 3402 template pack applies a three-tier severity framework (low, medium, high) consistent with how firms apply ISA 265 to internal control deficiencies.

Every gap analysis entry contains 18 columns. The first five identify the finding: gap reference, control identifier, risk reference, test reference, and whether the deficiency is a design issue or an operating effectiveness issue. That last distinction carries weight because design deficiencies and operating deficiencies push in different directions. A design deficiency means the control cannot achieve the objective even if it operates perfectly. An operating deficiency means the control is well-designed but did not run consistently.

Severity assessment: quantitative meets qualitative

Each finding receives a severity rating based on two parallel assessments.

The quantitative assessment compares the observed deviation rate to the tolerable deviation rate (TDR). A finding with a 20% observed rate against a 5% TDR is quantitatively more severe than one with an 8% observed rate against a 10% TDR. The gap between observed and tolerable rates, combined with the population size, drives the extrapolated exposure: how many unsampled items might contain the same deviation.

Qualitative assessment considers factors that numbers alone cannot capture. Is the deviation systematic or isolated? What is its root cause? Is the affected control a key control or a secondary one? How long was the exposure period? Does the deviation suggest a broader control environment weakness? A single isolated deviation caused by a one-time system upgrade carries a different qualitative profile than a systematic failure caused by a staffing vacancy over six months. This is the section reviewers re-read first, and it is also where most files thin out into one-line conclusions.

Low severity means the deviation does not prevent reasonable assurance and requires no opinion modification. Medium severity represents a significant deficiency that requires aggregation assessment and may warrant an Emphasis of Matter paragraph. High severity means the control objective was not achieved, and the finding triggers the qualification analysis under ISAE 3402.53.

The seven-element compensating control framework

When a deviation is identified, the next question is whether a compensating control mitigates the unaddressed risk. ISAE 3402.A27 addresses compensating controls but does not prescribe a framework for evaluating them. The gap analysis tab requires seven elements for any compensating control claim.

Element one identifies the primary risk that is not mitigated by the failed control. This forces precision. "Payroll accuracy risk" is insufficient. "Transaction-level authorisation risk for October payroll, where a variance could have been processed without Payroll Manager review" is sufficient.

Element two names the compensating control itself. What other control addresses the same risk through a different mechanism?

Element three assesses coverage: does the compensating control provide full or partial coverage of the residual risk? Full coverage means the compensating control independently addresses the entire risk. Partial coverage means a residual gap remains.

Element four documents the testing evidence for the compensating control. A compensating control that has not been tested provides no assurance. We must test it with the same rigour as any other control. Skipping this is the finding that generates the most review notes on ISAE 3402 files.

Element five records the effectiveness conclusion. The compensating control must have operated effectively during the relevant exposure period, not just during the window when it was originally tested.

Element six notes whether the compensating control was identified before or after the auditor raised the deviation. A compensating control surfaced by management only after the deviation was reported carries less weight than one that was already operating independently.

Element seven documents the residual risk after considering the compensating control. Even with full coverage, the residual risk may not be zero.

Aggregation: when findings combine

Individual findings are assessed in isolation first, then aggregated. Aggregation asks: do multiple findings, when considered together, rise to a higher severity than each finding individually?

Two medium findings affecting the same control objective may aggregate to high if together they indicate a systemic weakness in the control environment for that objective. Two low findings affecting different control objectives typically do not aggregate because they address unrelated risks.

The aggregation assessment column in the gap analysis requires the auditor to identify related findings, assess whether combined deficiencies rise to a higher severity, and document the rationale for the aggregated conclusion. This is where the opinion path becomes clear. If aggregation produces a high-severity conclusion for any control objective, the service auditor must consider whether that objective was achieved. If it was not achieved, ISAE 3402.53 requires a qualified opinion (where the condition is limited to specific objectives) or an adverse opinion (where the condition is pervasive).

One critical point: qualification is per control objective, not per finding. A high-severity finding on bank reconciliation triggers a qualified opinion for the bank reconciliation control objective. It does not automatically contaminate the clean opinion on logical access or payroll processing. The service auditor's report specifies which objectives were achieved and which were not.

Four worked examples

The gap analysis tab contains four pre-populated findings that illustrate different severity levels, compensating control scenarios, and opinion outcomes.

Finding one: payroll variance review (medium, operating deficiency)

A payroll processing bureau's monthly variance review control had one deviation in five sampled months. The October review was completed eight days late and signed by an unauthorised person (the Assistant Payroll Manager, not the Payroll Manager or designated backup). Observed deviation rate: 20%. Tolerable deviation rate: 5%. The TDR is breached.

The root cause: no documented backup procedure for the Payroll Manager role. When the Payroll Manager was on leave, the Assistant completed the review but lacked authorisation.

Compensating control: the Payroll Director independently reviews payroll exception reports on a monthly basis. This compensating control was tested and found effective. However, coverage is partial: the Director's review is at an aggregate level and does not replicate the granular, department-by-department variance analysis performed by the Payroll Manager.

Severity: medium (maintained after aggregation). Isolated incident, compensating control effective with partial coverage, no financial impact identified. No opinion modification. The finding is reported to management and documented in the service auditor's report as an exception, but it does not prevent the payroll control objective from being achieved.

Documentation note: gap analysis entry records observed rate, TDR, root cause, compensating control with all seven elements populated, and aggregation assessment confirming no escalation.

Finding two: backup integrity (low, operating deficiency)

Backup integrity checks failed on two of twenty-five sampled days in March. The failure was caused by a vendor storage firmware update that temporarily disrupted checksum validation. Observed deviation rate: 8%. Tolerable deviation rate: 10%. The TDR is not breached.

Compensating control: the previous day's backup was valid and available, and real-time database replication provided an alternative recovery path with less than fifteen minutes of latency. Coverage: full. Maximum data loss even during the two affected days would have been one business day.

Severity: low. Technical issue, isolated to a two-day window, full compensating coverage, no financial impact, vendor patch resolved the root cause. No opinion modification.

Documentation note: gap analysis entry records the firmware issue as root cause, full compensating coverage via alternative recovery, and standalone assessment (no related findings).

Finding three: bank reconciliation (high, operating deficiency, qualified opinion)

Bank reconciliation was performed by the Treasury Analyst, who resigned in May. No replacement was hired until December. Of five sampled reconciliations, three (June, August, November) were either not performed or performed without required signatures. Observed deviation rate: 60%. Tolerable deviation rate: 5%. The TDR is breached by 55 percentage points.

The root cause: single point of failure in the Treasury function with no documented backup procedure.

Compensating control: the CFO performed a retrospective high-level review of the June through November reconciliations in December. Coverage: partial. The CFO's review was at an aggregate level only, did not replicate the transaction-level reconciliation procedure, and identified two previously unreconciled differences totalling €23,400 that required correction. The compensating control was identified only after the auditor raised the deviation.

Severity: high. Systematic failure over six months, key control, cash is the highest-risk balance, compensating control provides partial coverage only and was retrospective. The bank reconciliation control objective was not achieved for the June through November period.

Opinion impact: qualified opinion required under ISAE 3402.53. The qualification is limited to the bank reconciliation control objective. All other control objectives were achieved and receive a clean opinion. Documentation note: gap analysis entry triggers the nine-item sign-off checklist. EQCR required per ISQM 2.A25-A27 for any qualification. Partner sign-off with date.

Finding four: incident management (medium, design deficiency, Emphasis of Matter)

The incident management policy does not define quantified escalation SLAs for priority levels. Three P1 incidents occurred during the period with escalation times of 8 minutes, 47 minutes, and 4 hours 22 minutes. Without a defined SLA, the service auditor cannot objectively evaluate whether escalation was timely.

This is a design deficiency, not an operating deficiency. The control cannot achieve its objective (timely escalation) because the standard for "timely" is undefined. The incident logging and triage components of the control operated effectively. Only the escalation element lacks the design precision needed for objective assessment.

Compensating control: the IT Operations Manager reviews the ITSM dashboard daily and would identify unescalated P1 incidents. Coverage: partial (24-hour latency between incident occurrence and dashboard review). The compensating control was tested and found effective over 25 sampled days.

Severity: medium. Design gap in a non-financial ITGC control. The incident logging and triage components work; only the escalation measurement is undefined. No financial impact from the three observed incidents.

Opinion impact: no qualification. The finding is a significant deficiency warranting an Emphasis of Matter paragraph in the service auditor's report, drawing the user auditor's attention to the design gap while confirming that the remaining incident management controls operated effectively.

Documentation note: Emphasis of Matter recommended. Management response requested with commitment to define quantified SLAs by next reporting period.

The nine-item sign-off checklist

Before the partner signs the gap analysis, every finding must pass a nine-item checklist. The checklist exists to ensure no procedural step is missed between identifying a deviation and issuing the report.

The nine items: management response obtained (signed acknowledgment of the deviation and root cause). Compensating control tested (not just identified, but tested with documented evidence). Backup or alternative recovery confirmed where applicable. Management representation obtained covering the deviation period. Aggregation assessment completed across all findings. Partner sign-off recorded with date. Exception reported in the service auditor's report regardless of severity (per ISAE 3402.A18, deviations are reported regardless of materiality). EQCR completed if any finding is high severity. CUEC implications communicated to user entities where the deviation affects a complementary user entity control.

Each item has a checkbox. An incomplete checklist blocks sign-off. The checklist is not a formality. It is the documentation trail that demonstrates the service auditor completed every required step between deviation and opinion.

Practical checklist for gap analysis

1. Create a gap analysis entry for every deviation, regardless of severity. ISAE 3402.A18 requires reporting all deviations, not just material ones.

2. Assess severity using both quantitative factors (observed rate vs. TDR, population size, extrapolated exposure) and qualitative factors (systematic vs. isolated, root cause, key vs. non-key, exposure period).

3. For every compensating control claim, populate all seven elements of the framework. A compensating control that has not been independently tested provides no assurance.

4. Aggregate findings before concluding. Two medium findings on the same control objective may aggregate to high. Document the aggregation rationale even when the conclusion is "no escalation."

5. Determine opinion impact per control objective, not per finding. One high-severity finding affects the opinion for that objective only (ISAE 3402.53).

6. Complete the nine-item sign-off checklist for every finding before the partner signs the gap analysis. An incomplete checklist means the file is not ready for sign-off.

Common mistakes

• Evaluating deviations in isolation without aggregation. The AFM's inspection findings have identified files where multiple medium-severity findings on the same control objective were each assessed individually as "no opinion impact," without any aggregation assessment documenting whether the combined effect was more significant.

• Claiming compensating controls without testing them. A compensating control that "exists" but has not been tested is not audit evidence. ISAE 3402.A27 requires the same rigour for compensating controls as for primary controls.

• Applying qualification to the entire report rather than the affected control objective. ISAE 3402.53 permits a qualified opinion that is limited to specific control objectives. A single high-severity finding on bank reconciliation qualifies the bank reconciliation control objective, not the entire engagement.

• Treating the aggregation column as a tick box. We have seen files where the column is populated with "no related findings" on every entry, even when two findings clearly touch the same control objective. The file should tell a story about why findings were or were not combined, not simply assert that they were not.

Related content

• ISAE 3402 glossary entry. Covers the standard's structure, including the distinction between Type I (design only) and Type II (design and operating effectiveness) engagements.
• ISAE 3402 template pack. Contains the gap analysis tab with 18 columns, four pre-populated findings, the seven-element compensating control framework, and the nine-item sign-off checklist.
• CUECs: how to test them through the full audit period. When a gap analysis finding affects a CUEC, the user auditor needs to know. This post explains how the CUEC register connects to gap analysis outcomes.

Related tools

Put audit concepts into practice with these free tools: