Type II Report

What is a Type II report?

When a user auditor receives a SOC 1 or ISAE 3402 report, the first question is always the same: is this a Type I or a Type II? If it is a Type I, the file cannot support controls reliance. Only a Type II gives the user auditor evidence that controls actually worked over time.

Under ISAE 3402.8(f), a Type II report covers four elements: whether the service organization's description fairly presents the system, whether controls are suitably designed, whether those controls operated effectively throughout a specified period, and the results of the service auditor's tests. The critical difference from a Type I is operating effectiveness testing. A Type II tests whether controls did work, not just whether they could work.

ISA 402.12 allows the user auditor to reduce the assessed risk of material misstatement (the RMM) when a Type II report provides positive evidence of operating effectiveness. This is the evidence that supports controls reliance in the user entity's audit.

ISAE 3402.41 requires the report to specify the period covered. ISAE 3402.42 requires the service auditor to describe any exceptions identified during testing. Exceptions do not automatically disqualify the report. The user auditor evaluates their significance in the context of their own audit assertions.

Worked example: Kilkenny Fund Services Ltd

Kilkenny Fund Services Ltd is an Irish fund administration company with €890M AUM, administering 22 UCITS funds.

Kilkenny's Type II report covers January to December 2024, with six control objective areas: NAV calculation, investor transactions, cash reconciliation, transfer agency, regulatory reporting, and IT general controls. The service auditor tests 52 controls across these areas. Reviewing the results of those 52 tests is classic ticking and bashing, but it is where most of the user auditor's time on this file actually goes.

Two exceptions are identified. First, a late cash reconciliation sign-off in March (the reconciliation was prepared on time but the reviewer signed off three days late). Second, a terminated employee's system access remained active for 11 days in August before being revoked.

A user auditor evaluating this report considers the impact of each exception on their audit assertions. The late sign-off is assessed as immaterial because the reconciliation itself was completed and no errors were identified. For the access revocation delay, the user auditor reviews the activity log for the 11-day window and confirms no transactions were processed using that account. Reliance on 50 of 52 controls is maintained, with additional substantive procedures applied to cash reconciliation for March and access management for August.

What reviewers get wrong

• User auditors accept the report without checking whether the period covered is sufficient. ISA 402.12 (b) requires the user auditor to address the gap period (the time between the end of the Type II report period and the user entity's year-end). Nobody enjoys filling that gap with inquiry and additional testing, but skipping it is how files get flagged in cold review.
• The FRC noted that user auditors evaluate individual exceptions without considering whether they indicate broader control environment weaknesses. ISA 402 .A31 requires the user auditor to consider the pattern, not just the individual finding.

Type II vs Type I

Key standard references

• ISAE 3402.8(f) defines the Type II report as covering description, design, and operating effectiveness over a specified period.
• ISA 402.12 allows the user auditor to reduce assessed risk when a Type II provides positive evidence of operating effectiveness.
• ISAE 3402.41 requires the report to specify the period covered.
• ISAE 3402.42 requires the service auditor to describe exceptions identified during testing.
• ISA 402.12 (b) requires the user auditor to address the gap period between report end and user entity year-end.

Related terms

Related reading

Frequently asked questions