A SSAE 18 / SOC 1 Type I Report shows Company’s that your Organization has appropriate controls designed and in place as of the date the report is issued. It does not provide assurance that controls are executed consistently, which, is the purpose of the Type 2 report and what most Company’s are hoping to see when asking for evidence of a SOC report.
So, while, the Type II is preferred, the Type I report is an important step in the right direction for an Organization who has never undergone an audit and looking to show they are serious about compliance.
A Type I Report is specifically defined by the SSAE 18 guidance as a “report on a description of a service organization’s system and the suitability of the design of controls”, essentially, a determination of if your company’s controls designed appropriately. When performing a Type I report, the auditors will test the design effectiveness of your Company’s controls by examining a sample of 1 item per control, review of policy, or through inquiry. This provides a user organization with some comfort that your company (the service organization) has controls in place (but not evidence of operating effectiveness). This can be useful when trying to obtain a contract to show good faith to potential user organizations or to maintain current contracts when Customers may have updated compliance requirements they must meet.
The SSAE 18 Type I report has 3 sections which include Management’s Assertion, the Auditor’s Opinion, and the System Description of the service offerings under review and corresponding control objectives and activities.