Side-by-side comparison
| Dimension | Type I report | Type II report |
|---|---|---|
| What it covers | Description of the system and suitability of control design at a specific date. | Description of the system, suitability of control design, operating effectiveness of controls over a stated period, and any exceptions identified. |
| Period vs point in time | Single date (e.g., 31 March 2025). | Period (e.g., 1 April 2024 to 31 March 2025). |
| Tests performed | Inquiry and inspection of control documentation to assess design. | All of the above plus reperformance and sample-based testing of control operation over the period. |
| What the user auditor gets | Evidence of control design only. User auditor must test operating effectiveness independently. | Evidence of both design and operating effectiveness. User auditor may rely on it if the period and scope are sufficient. |
| Typical use case | First-year engagement where the service organisation has not yet undergone a full-period examination. | Ongoing engagements where the user auditor needs to rely on controls at the service organisation. |
Key Points
- A Type I report confirms control design at a point in time; a Type II report tests whether those controls actually worked over a period.
- User auditors who rely on a Type I report still need to perform their own tests of operating effectiveness.
- Most inspection findings relate to user auditors treating a Type I report as if it were a Type II.
- A Type II report covering only six months may leave a gap the user auditor must address.
When the distinction matters on an engagement
The distinction matters most when the user auditor decides how much reliance to place on the service organisation's controls. ISA 402.12 permits the user auditor to use a Type I or Type II report as audit evidence, but the nature of that evidence differs.
With a Type I report, the user auditor has evidence that controls were designed appropriately at a date. That tells you nothing about whether anyone followed them. If the user auditor's control reliance strategy depends on operating effectiveness at the service organisation, a Type I report is insufficient on its own.
ISA 402.15 requires the user auditor to obtain evidence of operating effectiveness through one of two routes: the Type II report itself, or the user auditor's own procedures. The mistake is assuming a Type I report covers both.
Worked example: Colruyt Logistics N.V.
Client: Belgian retail holding company, FY2024, revenue €128M, IFRS reporter. Colruyt outsources payroll processing to an external service organisation.
The user auditor's planned approach relies on controls at the payroll service provider to support the completeness and accuracy assertions over payroll expense (€14.2M, 11% of revenue).
Scenario A: Type I report available (dated 30 September 2024)
The service auditor's Type I report confirms that the payroll provider's controls over input validation, calculation accuracy, output reconciliation, and exception handling were suitably designed as of 30 September 2024.
Documentation note: "Type I report obtained, dated 30 September 2024. Report confirms control design suitability. No evidence of operating effectiveness. Per ISA 402.15, user auditor must perform own procedures to obtain evidence that these controls operated effectively during the period 1 January to 31 December 2024."
The user auditor designs and performs alternative procedures: selecting a sample of 25 monthly payroll reconciliations and reperforming input-to-output checks for two pay periods.
Scenario B: Type II report available (period 1 January to 31 December 2024)
The service auditor's Type II report confirms design suitability and states that controls operated effectively throughout the year. No exceptions were identified in the service auditor's testing.
Documentation note: "Type II report obtained, period 1 January to 31 December 2024. No exceptions. Report covers the full period under audit. Per ISA 402.16, user auditor may rely on the service auditor's testing as evidence of operating effectiveness. No supplementary user auditor testing of these controls required, subject to evaluation of the service auditor's competence per ISA 402.13."
If the team had relied on the Type I report without performing its own operating effectiveness procedures, the file would contain no evidence that the controls worked during the audit period.
What reviewers get wrong
The most common error is treating a Type I report as a substitute for operating effectiveness evidence. ISA 402.15 is explicit: a Type I report addresses design only. User auditors who document "controls at the service organisation are effective per the Type I report" have made a factual misstatement in their own working papers.
When a Type II report covers only part of the audit period (for example, 1 July to 31 December when the audit period runs from 1 January to 31 December), ISA 402.16 requires the user auditor to obtain evidence for the uncovered period. Teams frequently document the Type II report as covering the full year without checking the dates. The gap between the report period and the audit period is a recurring finding in ISA 402 inspections.
Key standard references
- ISAE 3402.2-3: Defines the scope of Type I and Type II reports for service organisations.
- ISA 402.12: Permits the user auditor to use a service auditor's report as audit evidence.
- ISA 402.15: Requires operating effectiveness evidence, which a Type I report does not provide.
- ISA 402.16: Addresses gaps between the report period and the audit period.
Related terms
Related reading
Frequently asked questions
Can a user auditor rely on a Type I report for operating effectiveness?
No. A Type I report confirms control design at a point in time only. ISA 402.15 requires the user auditor to obtain evidence of operating effectiveness either through a Type II report or through the user auditor's own procedures.
What happens when a Type II report covers only part of the audit period?
ISA 402.16 requires the user auditor to obtain evidence for the uncovered period. If the Type II report runs from July to December but the audit period starts in January, the user auditor must perform procedures or obtain other evidence covering January to June.