SAS 70 / SSAE 16 Audit – Type I vs Type II

What are the differences between a Type I and a Type II SAS70 / SSAE 16 audit report?

This question often comes up when a service organization is considering their first SAS 70 / SSAE 16 audit. A Type I report is as-of a point in time (eg, September 30th) whereas a Type II report covers a period of time (eg, October 1, 2010 – September 30, 2011).  Also, a Type I report only cover the design effectiveness of internal controls.  A Type II report covers design as well as the operating effectiveness of internal controls.

Many service organizations will elect a Type I if they have never gone through the SAS 70 / SSAE 16 audit before.  First, this approach often allows service organizations to become familiar with the audit process to give them a sense of what is required to undergo a Type II audit.  Second,  it often helps instill service organization to instill the discipline necessary to successfully complete a Type II audit. Finally, in most situations at least six months have to elapse in order to have a Type II report. When potential customers are looking for assurance that a provider has a SAS 70 / SSAE 16, the Type I audit is a great stop gap measure to show commitment while the Type II audit is underway.

There is another significant difference between a Type I and a Type II report.  In order for a SAS 70 / SSAE 16 “[t]o be useful to user auditors, the report should ordinarily cover a minimum reporting period of six months.”  See AICPA AU 324.53.  This is only possible with a Type II report, since it covers a period of time.

Leave a Reply

Your email address will not be published. Required fields are marked *