Your largest customer called and asked for your SAS70 audit report and which type of audit was completed? Do you perform a Type I or II? Don’t flip a coin; you must consider your objectives.
A SAS 70 Type I audit report provides an audit opinion of your Companies’ operating environment. A Type II report combines the elements of a Type I report but requires extensive testing over a defined period of time. Which is more appropriate for your organization? In accountant speak, it depends.
Consider these objectives: Determine what your customers require and where you’re operating an IT controls need improvement; are your policies and procedures well documented; and how much can you afford. In general, a Company would first perform a Type I, then a Type II SAS 70 audit. You may not have been reviewing firewall logs or monitoring user access to your exchange server over a six month period in order to perform a Type II audit. Therefore, a Type I would be more suitable. In addition, performing a Type I audit first would allow you to quickly learn the areas of improvement with your IT framework. Which type SAS 70 audit are you pursuing and what are your objectives? Sas70expert@gmail.com