One of the most important aspects of an ISAE 3402 Type II engagement is the observation period. Unlike a Type I report, which evaluates controls at a single point in time, a Type II report covers a defined period during which the auditor tests whether controls operated effectively on a consistent basis. Understanding the requirements and practicalities of this observation period is critical for a successful engagement.
Minimum six months, twelve preferred
The ISAE 3402 standard requires a minimum observation period of six months for a Type II report. This minimum exists because a shorter period would not provide sufficient evidence of consistent control operation. Client auditors who rely on your ISAE 3402 report need confidence that your controls were functioning throughout a meaningful portion of their financial reporting period.
While six months is the minimum, a twelve-month observation period aligned with the calendar year (January through December) or your clients' financial year is preferred. A twelve-month period eliminates gaps between reporting periods and makes it easier for your clients' auditors to rely on your report without needing additional procedures to cover the gap.
Why the period matters for client auditors
Your clients' auditors use your ISAE 3402 report to reduce the scope of their own audit work. If your report covers only six months of a twelve-month financial year, the client auditor must perform additional procedures for the uncovered period. This creates additional work and cost for your clients, which can reduce the practical value of your report.
Timing the report effectively means aligning your observation period with the needs of your client base. If most clients have a December year-end, a January-to-December observation period maximizes the utility of your report. If your client base has varied year-ends, discuss timing with your auditor to find the optimal approach.
What the auditor tests
During the observation period, the auditor tests the operating effectiveness of your controls through a combination of inquiry, observation, inspection of evidence and reperformance. The specific testing approach depends on the nature of each control.
For automated controls (system-enforced access restrictions, automated calculations, system-generated alerts), the auditor typically tests the control at one or more points during the period and verifies that no changes were made to the control configuration. For manual controls (approvals, reviews, reconciliations), the auditor selects samples from across the entire period to verify consistent operation.
The sample size depends on the frequency of the control. A control that operates daily will have a larger sample than one that operates quarterly. The auditor needs to see evidence that the control operated as described throughout the period, not just at the beginning and end.
Evidence collection during the period
Effective evidence management throughout the observation period is essential. Establish a routine for collecting and organizing evidence as controls operate, rather than attempting to reconstruct evidence after the fact. This means saving approval emails, archiving review documentation, maintaining audit logs, and storing completed checklists on an ongoing basis.
Common evidence collection challenges include employee turnover (the person who performed a control is no longer available to provide evidence), system changes (logs are overwritten or archived), and inconsistent documentation practices across teams. Address these risks proactively by establishing clear evidence retention requirements and backup procedures.
Handling exceptions
Not every control will operate perfectly throughout the observation period. When a control does not operate as designed (an access review is missed, an approval is not documented, a patch is not applied within the defined timeframe), this is an exception. The auditor evaluates exceptions based on their nature, frequency and significance.
A small number of exceptions does not automatically result in a qualified opinion. The auditor considers whether the exceptions are isolated incidents or indicative of a systematic issue, whether compensating controls were in place, and whether the organization identified and corrected the issue. Transparent communication with your auditor about known exceptions is always better than having the auditor discover them independently.
Secure Audit has extensive experience with ISAE 3402 Type II engagements across a wide range of service organizations. We help you plan your observation period, establish effective evidence collection practices, and navigate the audit process efficiently. Get in touch to discuss your ISAE 3402 timeline.
About the author
Partner | IT Auditor