Risk Advisory Services Blog

SAS 70 Audits: Type I and Type II

There are two types of SAS 70 audits (Type I and Type II).  Many organizations are not certain which audit best fits their needs or is required for their companies objectives.  The basic fundamental of a SAS 70 Type I audit is an audit report that provides an opinion on the description of the service organizations controls as of a point in time.  This snap shot audit provides a description of controls at the service organization that is validated by an independent auditor.

SAS 70 Type I audits are sometimes used as a stepping stone for organizations that have a long term goal of obtaining a SAS 70 Type II audit. Other organizations use the SAS 70 Type I audit for marketing strategies.  Regardless the use of the report, a SAS 70 Type I audit is a valuable engagement to provide third parties an independent review of your operations.

The Type II SAS 70 audit is the highest level of assurance that can be provided for SAS 70 audits; with this a more intense and larger audit is required.  The differentiator with the SAS 70 Type II audit compared to the SAS 70 Type I audit is the audit firm conducting a SAS 70 is required to report on your controls over a period of time (normally 6 – 12 months).  Due to the larger scope and higher assurance provided by a SAS 70 Type II audit, more companies require this audit from there service organizations especially since the Public Company Oversight Accounting Board (PCAOB) communicated that a SAS 70 Type II report could be utilized when relying on service organizations for Sarbanes Oxley compliance.

Not all companies need to obtain a SAS 70 Type II audit; however service organizations should evaluate their vendors and determine the appropriate audit to meet their internal compliance needs.  Often a good rule of thumb is if you have publicly traded clients or government regulated industries they will require a Type II SAS 70 audit.  Another thing to keep in mind when choosing a Type I vs. Type II audit is market perception; a company that has an annual SAS 70 Type II audit may appear more reputable to potential customers.

Our Risk Advisory professionals would love to answer any questions you may have about the types of SAS 70 Audits. Feel free to contact us 440-449-6800 or by leaving a message below.

This entry was posted in Risk Advisory Services. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.
© Copyright 2016 Skoda Minotti | Privacy Policy | Disclaimer | Remote Support
Cleveland 440-449-6800 | Akron 330-668-1100 | Tampa 813-288-8826
Website designed and developed by Skoda Minotti Strategic Marketing