What is a Type II report?
Governed by: ISAE 3402.8(f)
A Type II report under ISAE 3402 covers three things: whether the service organization's description fairly presents the system, whether controls are suitably designed, and whether those controls operated effectively throughout a specified period. The critical difference from a Type I report is the third element — it tests whether controls did work, not just whether they could work.
ISA 402.12 allows the user auditor to reduce the assessed risk of material misstatement when a Type II report provides positive evidence of operating effectiveness. This is the evidence that supports controls reliance in the user entity's audit.
ISAE 3402.41 requires the report to specify the period covered. ISAE 3402.42 requires the service auditor to describe any exceptions identified during testing. Exceptions do not automatically disqualify the report — the user auditor evaluates their significance in the context of their own audit assertions.
Key Takeaways
- Tests both design and operating effectiveness over a defined period.
- Provides evidence user auditors need to reduce substantive testing under ISA 402.
- Report period must align with (or substantially overlap) the user entity's reporting period.
- Exceptions do not automatically disqualify reliance, but the user auditor must evaluate them.
Worked example: Kilkenny Fund Services Ltd
Client: Irish fund administration company, €890M AUM, administering 22 UCITS funds.
Kilkenny's Type II report covers January to December 2024, with six control objective areas: NAV calculation, investor transactions, cash reconciliation, transfer agency, regulatory reporting, and IT general controls. The service auditor tests 52 controls across these areas.
Two exceptions are identified. First, a late cash reconciliation sign-off in March — the reconciliation was prepared on time but the reviewer signed off three days late. Second, a terminated employee's system access remained active for 11 days in August before being revoked.
A user auditor evaluating this report considers the impact of each exception on their audit assertions. The late sign-off is assessed as immaterial — the reconciliation itself was completed and no errors were identified. For the access revocation delay, the user auditor reviews the activity log for the 11-day window and confirms no transactions were processed using that account. Reliance on 50 of 52 controls is maintained, with additional substantive procedures applied to cash reconciliation for March and access management for August.
What reviewers get wrong
- Insufficient period coverage analysis: User auditors accept the report without checking whether the period covered is sufficient. ISA 402.12(b) requires the user auditor to address the gap period — the time between the end of the Type II report period and the user entity's year-end.
- Evaluating exceptions in isolation: The FRC noted that user auditors evaluate individual exceptions without considering whether they indicate broader control environment weaknesses. ISA 402.A31 requires the user auditor to consider the pattern, not just the individual finding.
Type II vs Type I
| Dimension | Type II report | Type I report |
|---|---|---|
| Coverage period | Over a specified period | At a specific date |
| Testing scope | Design + operating effectiveness | Design only |
| Evidence for user auditor | Sufficient for controls reliance | Supports understanding only |
| Exception reporting | Includes tests and exceptions | No effectiveness testing |
Key standard references
- ISAE 3402.8(f): Defines the Type II report as covering description, design, and operating effectiveness over a specified period.
- ISA 402.12: User auditor can reduce assessed risk when Type II provides positive evidence of operating effectiveness.
- ISAE 3402.41: Report must specify the period covered.
- ISAE 3402.42: Service auditor must describe exceptions identified during testing.
- ISA 402.12(b): Gap period between report end and user entity year-end must be addressed.
Related terms
Related reading
Frequently asked questions
Do exceptions in a Type II report mean you cannot rely on it?
No. The user auditor evaluates whether each exception affects the specific control objectives relevant to their audit assertions and whether compensating controls exist. A single exception does not invalidate the report.
What if the Type II report period does not cover the user entity's full year?
ISA 402.12(b) requires the user auditor to obtain evidence about controls during the gap period through inquiry, observation, or targeted testing of transactions processed after the report ended.