What is a Type I report?
We see it at least twice a year: a user auditor receives a Type I report from a service organization and treats it like a Type II. The file goes to review, and the reviewer sends it back with a note asking where the operating effectiveness evidence is. There is none, because a Type I report was never designed to provide it.
Under ISAE 3402.8(e), a Type I report answers one question: could these controls prevent or detect misstatements if they operated as described? It covers whether the service organization's description fairly presents the system as designed and implemented, and whether controls are suitably designed to achieve the stated control objectives.
What it does not answer is whether those controls actually worked. There is no testing of operating effectiveness. The service auditor evaluates design only, as of a specific date (not over a period).
ISA 402 .A28 is clear: if the user auditor wants to rely on service organization controls to reduce the assessed risk of material misstatement (the RMM), they need evidence of operating effectiveness. That means a Type II report. A Type I helps the user auditor understand the system and its controls, but it does not provide the evidence needed for controls reliance.
Key Takeaways
- Covers control design only, not operating effectiveness.
- Reports as of a specific date, not over a period.
- User auditors can use it to understand the system, but it gives less evidence than a Type II.
- Often the first step for a service organization new to ISAE 3402.
Worked example: Wolkenhost GmbH
Wolkenhost GmbH is a German cloud hosting provider running managed ERP hosting for 38 clients. This is their first ISAE 3402 engagement.
Wolkenhost commissions a Type I report as of 30 September 2024. The scope covers data centre physical security, logical access management, backup and recovery, change management, and incident response. The service auditor evaluates 9 control objectives and 31 controls for suitability of design.
During the design evaluation, the service auditor identifies an exception on control objective CO-4 (change management): the change approval workflow exists in policy documentation but is not enforced in the ticketing system. Changes can be deployed without recorded approval. The service auditor issues a qualified opinion on CO-4, noting that the design does not provide reasonable assurance that changes are approved before implementation.
A user auditor receiving this report understands Wolkenhost's control environment but cannot reduce substantive testing based on it. For the following year, Wolkenhost remediates the change approval workflow and commissions a Type II report covering a full 12-month period.
What reviewers get wrong
- User auditors sometimes rely on a Type I report to reduce substantive testing. This is the finding that generates the most review notes on SOC report workpapers. ISA 402 .A28 requires operating effectiveness evidence before controls reliance is justified.
- Service organizations commission the Type I at their own fiscal year-end rather than aligning with their clients' reporting periods. This reduces the report's usefulness to user auditors, who then need to perform additional procedures to cover the gap.
Type I vs Type II
| Dimension | Type I report | Type II report |
|---|---|---|
| Coverage | Design at a point in time | Design and effectiveness over a period |
| Report date | As of a specific date | For a period |
| Testing | Design evaluation only | Design plus operating effectiveness |
| Evidence strength | Weaker; supports understanding | Stronger; supports controls reliance |
| Use case | First-time or post-system-change | Recurring annual |
Key standard references
- ISAE 3402.8(e) defines the Type I report as covering description and suitability of design as of a specified date.
- ISA 402 .A28 requires evidence of operating effectiveness (Type II) before the user auditor can reduce assessed risk based on service organization controls.
- ISAE 3402.13 sets out the service auditor's objective regarding fair presentation and suitability of control design.
Related terms
Related reading
Frequently asked questions
Can a user auditor rely on a Type I report to reduce substantive testing?
Not directly. ISA 402.A28 requires evidence of operating effectiveness (a Type II report) before the user auditor can reduce the assessed risk of material misstatement based on service organization controls.
When is a Type I report appropriate?
When the service organization is going through ISAE 3402 for the first time or has recently changed its system and controls have not been in place long enough for a Type II period.