SSAE 16 Type 1 vs. Type 2 is a common subject area researched by service organizations, as they're searching for credible information relating to the similarities and differences between SSAE 16 Type 1 and Type 2 reporting. And while most service organizations eventually undertake SSAE 16 Type 2 compliance, an SSAE 16 Type 1 assessment is often looked upon as a great starting point for entities new to the world of reporting on controls at service organizations.
Specifically, an SSAE 16 Type 1 assessment is for a specific point in time (i.e., August 27, 20xx), while an SSAE 16 Type 2 report covers a period in time, which is known as the "test period". This test period is generally seen as six (6) months in length, but can also be any number of months necessary for testing of controls. Because of this, many SSAE 16 Type 2 assessments are 6, 8, 10, or even 12 months long. Thus, for SSAE 16 Type 2, reporting is done on the “suitability of the design and operating effectiveness of controls” for a given period, whereas for SSAE 16 Type 1, there is no testing on the “operating effectiveness of controls”. For an ounce of clarity, just remember that SSAE 16 Type 2 reporting covers a period (generally 6 months, or more), while SSAE 16 Type 1 is merely a snapshot in time – that is – reporting on for a specific date. And also remember that SSAE 16 Type 1 reporting is seen merely as a starting point for service organizations, with the ultimate goal of undertaking SSAE 16 Type 2 reporting procedures.
But there are similarities also when it comes to SSAE 16 Type 1 vs. Type 2 reporting. Specifically, both the description of the service organization’s “system”, along with a written statement of assertion are required by management for Type 1 and Type 2 reporting. The description of the "system" is essentially the following:
"the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization's core activities that are relevant to user entities."
As for the written statement of assertion by management, it's simply a document whereby management of the actual service organization must assert to a number of clauses and provisions relating to the actual SSAE 16 assessment being conducted, either a Type 1 or a Type 2.
As can clearly be seen, there are differences, but also similarities - but again - it's important to remember the following points regarding SSAE 16 Type 1 vs. Type 2 reporting:
1. SSAE 16 Type 1 reporting is for a snapshot or point in time.
2. SSAE 16 Type 2 covers a "period" for reporting, generally a six (6) month test period, or more.
3. Type 1 reporting is merely just a stepping stone for what's ultimately required by service organizations - Type 2 reporting.
4. Both SSAE 16 Type 1 and Type 2 reporting require the written statement of assertion, along with a description of one’s “system”.
5. Subservice organizations can play an important role in both Type 1 and Type 2 reporting.
Call Christopher G. Nickell, CPA, to receive to learn more about SSAE 16 Type 1 and Type 2 reporting, and to receive a competitive, fixed-fee proposal. He can be reached at 1-800-277-5415, ext. 706. Additionallly, learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.