Type I versus Type II
To clarify which SOC Types your organization needs, here’s the essential information.
There are two types of ISAE 3402 reports: a Type I report and a Type II report. Both reports are the same in content. The difference lies in the performed audit; in a Type I audit, the accountant determines whether the risk management framework and control measures cover the framework (design) and exist at a specific moment. To determine this, the accountant “walks through” processes. These controls are called walkthroughs. In a Type II audit, the accountant determines over a period of at least six months whether the control measures have actually been effective. A Type I report relates to one measurement point, and a Type II report relates to at least six months.
With a Type II report, a user organization has more certainty that the service is controlled as agreed. The period in which the ISAE Type II audit takes place is a minimum of six months unless there is a special situation, such as the purchase of a new organizational unit or the introduction of a new IT system.
The first audit always requires some extra work for the organization and auditor to build mutual understanding. Undergoing Type I to Type II spreads that business impact, as Type I requires fewer audit tests. For Type I, auditors test every sample of every control practice to confirm the transaction designs. For Type II, auditors select and test multiple samples from auditor populations. A Type I report paves the way for Type II without addressing everything at once.
One advantage of Type I reports is the flexibility during the audit, where “issues” can be identified before the report is released. These are not included as issues in the report because it is a snapshot at the time of recording.
ISAE 3402 advice?
ISAE 3402 reports are read not only by your customers but also by their accountants. A report that does not meet best practice or one that is less professionally described is likely to be recognized by your customer or your customer’s accountant as less professional. With Securance’s experience with ISAE 3402 since 2004, we are well-positioned to prepare a professional report. We can also provide you with appropriate advice on how to improve measures so that you have better control over the risks.
Learn more about Securance and ISAE 3402.