ISAE 3402 | SOC 1 Type 1 vs. Type 2.
Organizations increasingly outsource non-core business processes to service organizations. A Service Organization Control (SOC) report in compliance with ISAE 3402 provides assurance over outsourcing. The ISAE 3402 standard is originated due to growing demand for control over outsourced activities. The outsourced services can be Software-As-A-Service (SaaS) providers, asset managers, data centers or property managers. Please find to FAQ and further detailed information on ISAE 3402 | SOC 1.
ISAE 3402 | SOC 1 assurance report
ISAE 3402 is applicable when an independent auditor ("user auditor") is planning the financial statement audit of an entity ("user organization") that obtains services from another organization ("service organization"). A SOC1 repport ("ISAE 3402 report") allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of the auditt. ISAE 3402 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the IAASB’s standards for fieldwork, quality control, and reporting. In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach for the audit of financial statements and generally implies that the auditor doesn't perform an seperate audit on outsourced processes. A service auditor may issue two types of reports; an ISAE 3402 Type I report or an ISAE 3402 Type II report.
The difference between the two explanations
The ISAE 3402 report has two options, namely type 1 and type 2. But what exactly is the difference between these two? In fact, the content of both reports is exactly the same. The difference is not in the content of the report, but in the checks performed on it. Below is a brief explanation for each type of standard in which it is made clear what the differences are between the type 1 and type 2 reports.
ISAE 3402 | SOC 1 TYPE I
An ISAE 3402 Type I report includes an opinion of an external auditor on the controls placed in operation at a specific moment in time. The external auditor examines whether the controls are suitably designed to provide reasonable assurance that the financial statement assertions are accomplished and whether the controls are in place. A Type I audit opinion is not sufficient for an user auditor to perform less audit procedures on outsourced services. The auditor checks whether the described situation corresponds to practice. This concerns one measurement moment.
ISAE 3402 | SOC 1 TYPE II
In an ISAE 3402 Type II report, the external auditor reports on the suitability of the design and existence of controls and on the operating effectiveness of these controls in a predefined period. This implies that the external auditor performs a detailed examination of the internal control of the service organization and also examines whether all controls are operating effectively in accordance with the predefined processes and controls. For this it is important that evidence is collected over a period of at least six months.