What are the differences between a Type I and a Type II SAS70 / SSAE 16 audit report?
This question often comes up when a service organization is considering their first SAS 70 / SSAE 16 audit. A Type I report is as-of a point in time (eg, September 30th) whereas a Type II report covers a period of time (eg, October 1, 2010 – September 30, 2011). Also, a Type I report only cover the design effectiveness of internal controls. A Type II report covers design as well as the operating effectiveness of internal controls.
Many service organizations will elect a Type I if they have never gone through the SAS 70 / SSAE 16 audit before. First, this approach often allows service organizations to become familiar with the audit process to give them a sense of what is required to undergo a Type II audit. Second, it often helps instill service organization to instill the discipline necessary to successfully complete a Type II audit. Finally, in most situations at least six months have to elapse in order to have a Type II report. When potential customers are looking for assurance that a provider has a SAS 70 / SSAE 16, the Type I audit is a great stop gap measure to show commitment while the Type II audit is underway.
There is another significant difference between a Type I and a Type II report. In order for a SAS 70 / SSAE 16 “[t]o be useful to user auditors, the report should ordinarily cover a minimum reporting period of six months.” See AICPA AU 324.53. This is only possible with a Type II report, since it covers a period of time.