Regulatory Compliance, Governance and Security

Jan 7 2010   1:21AM GMT

SAS 70 Audit & Compliance | Is a Type I Needed before a Type II?



As a SAS 70 Auditor, I’m often asked if a SAS 70 Type I is needed before conducting a SAS 70 Type II? The answer, YES and NO!

Yes, in that if an organization has never gone through a SAS 70 audit, has time to conduct a Type I audit, or has “cold feet” about going right into a SAS 70 Type II, which can be an extensive undertaking for any organization not familiar with Statement on Auditing Standards No. 70.

As for the NO answer. Well, if organizations have a compelling regulatory requirement to obtain SAS 70 Type II compliance, then you know the answer. Also, if an organization is continuing to roll forward every year with a Type II, then obviously, one would never go back to do a Type I, unless it was on a completely different business line (but that is a whole different topic to discuss at a later time).

As an auditor, my advice is to “crawl” before you “walk”, that is, get your feet wet and become acquainted with the SAS 70 process by conducting a Type I audit first and foremost-if you CAN.

Want to learn more about SAS 70 audits, then visit the official SAS 70 Resource Guide.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: