SAS 70

Aug 14 2008   12:01PM GMT

What is the difference between a Type I and a Type II SAS70 report? SAS70ExPERT

Keith Harrell Profile: SAS70ExPERT

Your largest customer called and asked for your SAS70 audit report and which type of audit was completed? Do you perform a Type I or II? Don’t flip a coin; you must consider your objectives.


A SAS 70 Type I audit report provides an audit opinion of your Companies’ operating environment. A Type II report combines the elements of a Type I report but requires extensive testing over a defined period of time. Which is more appropriate for your organization? In accountant speak, it depends.


Consider these objectives: Determine what your customers require and where you’re operating an IT controls need improvement; are your policies and procedures well documented; and how much can you afford. In general, a Company would first perform a Type I, then a Type II SAS 70 audit. You may not have been reviewing firewall logs or monitoring user access to your exchange server over a six month period in order to perform a Type II audit. Therefore, a Type I would be more suitable.  In addition, performing a Type I audit first would allow you to quickly learn the areas of improvement with your IT framework. Which type SAS 70 audit are you pursuing and what are your objectives?

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Unixboy
    How do I know if a SAS70 is for my company? What's a good benchmark for determining if my company should have an audit? Should privately held companies have an audit or are audits for publicly traded companies that have an obligation to share holders?
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: