🌐 Live Medical Devices & Diagnostics

ISAE 3402 — Assurance Reports on Controls at a Service Organization

IAASB standard for reporting on controls at a service organisation, used to produce SOC 1 / Type I and Type II reports. Applies to service organisations and their auditors.

10

Rules extracted

56

Obligations decomposed

5.6x

Avg obligations per rule

🌐 International

Jurisdiction

What AuditDSS covers

Source

1

Regulation

Extracted

10

Rules

Decomposed

56

Obligations

5.6x

Decomposition ratio

Each rule is decomposed into an average of 5.6 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 56 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in ISAE 3402 is scored across independent risk dimensions:

W

Obligation Weight

How critical within the regulatory framework

L

Violation Likelihood

How often breached in practice

E

Enforcement Evidence

Regulator enforcement history and penalties

C

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title
ISAE 3402 — Assurance Reports on Controls at a Service Organization
Regulatory body
International Auditing and Assurance Standards Board
Jurisdiction
🌐 International
Document type
standard
Effective date
June 15, 2011
Industry
Medical Devices & Diagnostics

Who this applies to

service auditorsservice organizationsuser entitiesuser auditors

Key requirements

  • Type 1 and Type 2 assurance reports on controls
  • ethical requirements and independence
  • engagement acceptance and continuance
  • assessing suitability of criteria
  • obtaining evidence regarding description, design and operating effectiveness of controls
  • using work of internal audit function
  • written representations
  • service auditor reporting

Frequently asked questions about ISAE 3402

What is ISAE 3402?
IAASB standard for reporting on controls at a service organisation, used to produce SOC 1 / Type I and Type II reports. Applies to service organisations and their auditors.

Who does ISAE 3402 apply to?
ISAE 3402 applies to service auditors, service organizations, user entities, user auditors.

How many obligations does ISAE 3402 contain?
AuditDSS has decomposed ISAE 3402 into 56 atomic obligations from 10 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of ISAE 3402?
The key requirements include: Type 1 and Type 2 assurance reports on controls, ethical requirements and independence, engagement acceptance and continuance, assessing suitability of criteria, obtaining evidence regarding description, design and operating effectiveness of controls, using work of internal audit function, written representations, service auditor reporting.

How can I assess my ISAE 3402 compliance?
Upload your compliance policy to AuditDSS. The platform maps your document against all 56 ISAE 3402 obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces ISAE 3402?
ISAE 3402 is enforced in International by International Auditing and Assurance Standards Board.

When did ISAE 3402 come into effect?
ISAE 3402 became effective on June 15, 2011.

What industry does ISAE 3402 apply to?
ISAE 3402 is primarily relevant to the Medical Devices & Diagnostics industry. AuditDSS covers 64 regulations in this industry sector.

Build a ISAE 3402 compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for ISAE 3402 — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering ISAE 3402 requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine ISAE 3402 with other regulations into a single unified compliance pack for your business.

Build ISAE 3402 compliance pack

Already have a policy? Assess it against ISAE 3402

1

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

2

AI maps against 56 obligations

Your document is scored against every obligation in ISAE 3402. Each claim is mapped to the obligation tree and evaluated for coverage.

3

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.

Related regulations in Medical Devices & Diagnostics

🇺🇸 Live

Anti-Kickback Statute

38 rules, 1,238 obligations
🇦🇺 Live

ACL

13 rules, 211 obligations
🇦🇺 Live

AU Climate Disclosure

10 rules, 52 obligations
🇦🇺 Live

Fair Work Act 2009

16 rules, 260 obligations
🇦🇺 Live

Modern Slavery Act 2018

9 rules, 135 obligations
🇦🇺 Live

Privacy Act 1988

29 rules, 203 obligations
🇦🇺 Live

SOCI Act 2018

10 rules, 32 obligations
🇦🇺 Live

TGA Act 1989

13 rules, 199 obligations

Assess your ISAE 3402 compliance

Upload your document and get a risk-scored gap analysis against 56 ISAE 3402 obligations in under 5 minutes.

Start assessment Browse all regulations