What is a Type I report?
Governed by: ISAE 3402.8(e)
A Type I report under ISAE 3402 answers one question: could these controls prevent or detect misstatements if they operated as described? It covers whether the service organization's description fairly presents the system as designed and implemented, and whether controls are suitably designed to achieve the stated control objectives.
What it does not answer is whether those controls actually worked. There is no testing of operating effectiveness. The service auditor evaluates design only, as of a specific date — not over a period.
ISA 402.A28 is clear: if the user auditor wants to rely on service organization controls to reduce the assessed risk of material misstatement, they need evidence of operating effectiveness. That means a Type II report. A Type I report helps the user auditor understand the system and its controls, but it does not provide the evidence needed for controls reliance.
Key Takeaways
- Covers control design only, not operating effectiveness.
- Reports as of a specific date, not over a period.
- User auditors can rely on it to understand the system, but it gives less evidence than a Type II.
- Often the first step for a service organization new to ISAE 3402.
Worked example: Wolkenhost GmbH
Client: German cloud hosting provider, managed ERP hosting for 38 clients. First ISAE 3402 engagement.
Wolkenhost commissions a Type I report as of 30 September 2024. The scope covers data centre physical security, logical access management, backup and recovery, and change management. The service auditor evaluates 9 control objectives and 31 controls for suitability of design.
During the design evaluation, the service auditor identifies an exception on control objective CO-4 (change management): the change approval workflow exists in policy documentation but is not enforced in the ticketing system. Changes can be deployed without recorded approval. The service auditor issues a qualified opinion on CO-4, noting that the design does not provide reasonable assurance that changes are approved before implementation.
A user auditor receiving this report understands Wolkenhost's control environment but cannot reduce substantive testing based on it. For the following year, Wolkenhost remediates the change approval workflow and commissions a Type II report covering a full 12-month period.
What reviewers get wrong
- Treating Type I as equivalent to Type II: User auditors sometimes rely on a Type I report to reduce substantive testing. ISA 402.A28 requires operating effectiveness evidence before controls reliance is justified.
- Report date misalignment: Service organizations commission the Type I at their own fiscal year-end rather than aligning with their clients' reporting periods, reducing the report's usefulness to user auditors.
Type I vs Type II
| Dimension | Type I report | Type II report |
|---|---|---|
| Coverage | Design at a point in time | Design and effectiveness over a period |
| Report date | As of a specific date | For a period |
| Testing | Design evaluation only | Design plus operating effectiveness |
| Evidence strength | Weaker; supports understanding | Stronger; supports controls reliance |
| Use case | First-time or post-system-change | Recurring annual |
Key standard references
- ISAE 3402.8(e): Defines the Type I report as covering description and suitability of design as of a specified date.
- ISA 402.A28: Requires evidence of operating effectiveness (Type II) before the user auditor can reduce assessed risk based on service organization controls.
- ISAE 3402.13: Service auditor's objective regarding fair presentation and suitability of control design.
Related terms
Related reading
Frequently asked questions
Can a user auditor rely on a Type I report to reduce substantive testing?
Not directly. ISA 402.A28 requires evidence of operating effectiveness (a Type II report) before the user auditor can reduce the assessed risk of material misstatement based on service organization controls.
When is a Type I report appropriate?
When the service organization is going through ISAE 3402 for the first time or has recently changed its system and controls have not been in place long enough for a Type II period.