SAS70 audits can be looked upon as an examination of an entity’s control environment. In more technical terms, a SAS70 Type I audit is used to report on controls placed in operation. Thus, a SAS 70 Type II audit is used to report on controls placed in operation and the testing of operating effectiveness.
Quickly, you can see the difference between a Type I and a Type II audit. a Type II audit’s testing of operating effectiveness essentially means that a testing period is undertaken when examining a service organization’s control environment. It’s the main difference between a SAS70 Type I and Type II.
Keep in mind that Type II audits are commonly used for complying with section 404 of the Sarbanes Oxley act. Management (executives of user organizations, that is) must have assurances of their internal control environment, thus, many times a SAS70 Type II audit is required from service organizations who provide outsourcing functions for these very user organizations.