As a SAS 70 Auditor, I’m often asked if a SAS 70 Type I is needed before conducting a SAS 70 Type II? The answer, YES and NO!
Yes, in that if an organization has never gone through a SAS 70 audit, has time to conduct a Type I audit, or has “cold feet” about going right into a SAS 70 Type II, which can be an extensive undertaking for any organization not familiar with Statement on Auditing Standards No. 70.
As for the NO answer. Well, if organizations have a compelling regulatory requirement to obtain SAS 70 Type II compliance, then you know the answer. Also, if an organization is continuing to roll forward every year with a Type II, then obviously, one would never go back to do a Type I, unless it was on a completely different business line (but that is a whole different topic to discuss at a later time).
As an auditor, my advice is to “crawl” before you “walk”, that is, get your feet wet and become acquainted with the SAS 70 process by conducting a Type I audit first and foremost-if you CAN.
Want to learn more about SAS 70 audits, then visit the official SAS 70 Resource Guide.