There are significant differences between a Type I and Type II report, however, we aren’t going to discuss that here, thats for another day. We will discuss the basics of a SSAE 16 Type I Report and some areas that should be focused on if this is the direction your company wants to take.
While the Type I Report doesn’t carry much weight, there are benefits, and that’s why it exists as an option. A Type I Report is specifically defined by the SSAE 16 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your company’s defined controls by examining a sample of 1 item per control. This provides a user organization with some comfort that your company (the service organization) has at least some controls in place. This can be useful when trying to obtain a contract and to show good faith to the potential user organization that your company is moving in the right direction. Most user organizations will require a Type II Report before contracting your company as a service organization of theirs.
The Type I Report is made up of 3 major areas, per the SSAE No. 16 Guidance:
a description of the service organization’s system prepared by management of the service organization.
- Management will need to prepare a description of the control objectives that are in place and being tested at their organization, as it relates to the process that is being reviewed for use by a User Organization. This will read sort of like a narrative of the process and how your control objectives tie in to each other and the process as a whole, giving a User Organization an overview of what and how, at a high level, their data will be handled.
a written assertion by the Service Organization’s management about whether, in all material respects, and based on suitable criteria:
1. the description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date.
2. the controls related to the control objectives stated in the description were suitably designed to achieve those control objectives as of the specified date.
- Management will need to prepare a written assertion attesting to the fair presentation and design of controls. Previously under SAS 70, it was the auditors who reported directly on the controls and management was not required to attest to anything. (There will be a separate post describing this in detail as this is a major difference)
The final component:
a service auditor’s report that expresses an opinion on the matters in b1-2.
- The auditors that are hired to perform the testing will need to review the Management’s assessment of the design of controls and attest to the validity of Management’s opinion. The auditors will walk through the control objectives and control activities in place at your company and verify they are, in fact, designed as Management noted. This is where the auditors will obtain a sample of 1 to support each control activity and express the results of their testing.
Specifics of reporting details for a SSAE Type I will be discussed later on!