Type I vs Type II ISAE 3402 reports
Also known as: Type I report, Type II report
Type I and Type II are the two report variants used in ISAE 3402 (and other assurance standards such as SOC 1 and SOC 2). A Type I report describes the design of controls at a point in time. A Type II report tests their operating effectiveness over a period.
Type I: design at a point in time
A Type I report describes the controls a service organisation has in place and confirms their design is suitable as of a specified date. The auditor does not test whether the controls operated effectively over time.
Type I is the starting-point report. It demonstrates that controls have been formally established and that an auditor agrees the design addresses the relevant risks. Service organisations in their first year of assurance work usually start here.
Type II: operating effectiveness over a period
A Type II report covers a period, typically six to twelve months. The auditor selects samples across the period and tests whether each control operated as designed throughout. The result is evidence of effectiveness, not just a snapshot of design.
Large enterprise customers will usually require a Type II report from a service organisation. A Type I report rarely passes procurement on its own once an organisation is past initial pilot deals.
Which one does your customer need?
- If a customer is asking for the report to satisfy their own auditor’s reliance on your controls for financial-reporting purposes, they need Type II. Type I is not enough.
- If a customer is doing first-stage vendor diligence and wants confirmation that controls exist, Type I is often acceptable as a starting point. They will ask for Type II at the next renewal.
- Organisations new to ISAE 3402 commonly publish Type I in year one and Type II from year two onwards. The first Type II period typically starts the day after the Type I as-of date.
- Once you publish a Type II, you commit to publishing one annually. Customers and their auditors expect the cadence; a gap signals control deterioration.
Cost and effort comparison
A first Type I engagement is the cheaper entry point. Once controls are documented and evidence is collected for a single as-of date, the audit is comparatively short.
A Type II engagement is heavier because evidence must be produced for every control across the test period. The audit takes longer (a few weeks of fieldwork is typical), and the internal cost of evidence collection across six to twelve months is the larger line item. Most service organisations move to a recurring Type II calendar once they are past the first cycle.