SSAE 16 Type II Attestation

SSAE 16 Type II (Type 2) builds on the Type I report to also include an assessment of the effectiveness of the controls over a period of time, which is recommended to be no less than six months. Such a report can be used to provide evidence of the effectiveness of the system in meeting stated objectives during the specified period.

Type II Attestation is performed for a particular period.



SSAE 16 Type 2 reports are considered as the effective method for conducting verification and validation related to the financial audits of a Service Organization.

Activities performed by the Service Auditor during the SSAE 16 Type II Assessment are:

  • Service Auditor will obtain management’s written assertion on the description of controls
  • Verification, Observation and Testing of the description of controls as provided by the management

Service auditor’s opinion over management’s assertion for:

  • That the system descriptions prepared by the management are accurate and correct.
  • That the system description accurately depicts the controls that are designed and implemented during the period of reporting.
  • That the design of the controls is suitable to the organization and more specifically to the transaction processing processes.
  • That the controls provide the assurance that effective operation of these controls would achieve with the specified control objectives
  • That the tested controls operated effectively during the period of the reporting and provided a reasonable measure of assurance that the specified control objectives were met during the said reporting period.


Content of SSAE 16 Type 2 Audit Report

Report of the SSAE 16 Type 2 Audit contains the following information:

  • Service Auditor’s Report
  • Descriptions of the Systems as prepared by the organization. System description should cover the Description of Controls, Control Environment, Risk Assessment Details, Risk Identified, Communication System Details, Monitoring and Control Processes
  • Details of the user controls are part of the report, so that the user organizations are aware of the controls that they are accountable for as a user of the service.
  • Report also contains other important information supplied by the management of the service organization such as management’s feedback regarding the service auditor’s report.


Deliverables from the SSAE 16 Type 2 Audit

Following are the deliverables from a SSAE 16 Type 2 Audit:

  • Service Auditor Report in printed and PDF format