There are two types of SAS 70 audits (Type I and Type II). Many organizations are not certain which audit best fits their needs or is required for their companies objectives. The basic fundamental of a SAS 70 Type I audit is an audit report that provides an opinion on the description of the service organizations controls as of a point in time. This snap shot audit provides a description of controls at the service organization that is validated by an independent auditor.
SAS 70 Type I audits are sometimes used as a stepping stone for organizations that have a long term goal of obtaining a SAS 70 Type II audit. Other organizations use the SAS 70 Type I audit for marketing strategies. Regardless the use of the report, a SAS 70 Type I audit is a valuable engagement to provide third parties an independent review of your operations.
The Type II SAS 70 audit is the highest level of assurance that can be provided for SAS 70 audits; with this a more intense and larger audit is required. The differentiator with the SAS 70 Type II audit compared to the SAS 70 Type I audit is the audit firm conducting a SAS 70 is required to report on your controls over a period of time (normally 6 – 12 months). Due to the larger scope and higher assurance provided by a SAS 70 Type II audit, more companies require this audit from there service organizations especially since the Public Company Oversight Accounting Board (PCAOB) communicated that a SAS 70 Type II report could be utilized when relying on service organizations for Sarbanes Oxley compliance.
Not all companies need to obtain a SAS 70 Type II audit; however service organizations should evaluate their vendors and determine the appropriate audit to meet their internal compliance needs. Often a good rule of thumb is if you have publicly traded clients or government regulated industries they will require a Type II SAS 70 audit. Another thing to keep in mind when choosing a Type I vs. Type II audit is market perception; a company that has an annual SAS 70 Type II audit may appear more reputable to potential customers.
Our Risk Advisory professionals would love to answer any questions you may have about the types of SAS 70 Audits. Feel free to contact us 440-449-6800 or by leaving a message below.