The validity period of a certification report depends on a number of factors. As mentioned earlier, a Type I report only provides its users with assurance that the design of an order was in place at the time of testing, while a Type II report provides assurance that the controls have been designed and operated consistently over a period of time. In general, a report user can receive a so-called bridge letter. This letter is from the organization`s management and confirms that there have been no significant changes to the description of the system and that the controls have continued to function as intended. Note that this is not an auditor`s report. In general, a bridge letter should not be accepted for a report that is more than a year old, unless there are additional monitoring procedures that allow an organization to plan and operate controls. In 1986, the SBA published the first SSAE, Attestation Standards, to build on the existing capabilities of CPAs and to provide advice on how to apply this expertise to information other than historical financial statements. Using these and subsequent certification standards, practitioners have begun to insure many new types of business information and systems (see “What are SysTrust and WebTrust?” below). The new declaration – SSAE No. 10 – replaces all previously issued SSAEs; the effective date is June 1, 2001. SSAE No. 18 is designed to make certified standards easier to read, understand and apply.