SAS 70 | A Brief Primer on Type I and Type II Audits

Statement on Auditing Standards No. 70, simply known as SAS 70 to many, is an auditing standard that was put forth in 1992. It was the culmination of previous auditing standards that led to the formation of SAS 70.

So, is SAS 70 an audit, a standard, a process for examining an organization’s internal controls? Well, to be fair, it’s a little bit of all that. It’s an audit standard used by auditors (traditionally, CPA’s, that is) when they conduct an audit on a service organization. Sound a little confusing? It might be at first, but spend some time at the SAS 70 Resource Guide and you will quickly be brought up to on SAS 70 Type I and Type II audits.

A few points to keep in mind. First, SAS 70 audits have witnessed explosive growth, due in large part to the ever-expanding regulatory requirements that keep coming down the pipeline. Sarbanes Oxley, HIPAA, GLBA, along with other state and federal legislative mandates are pushing SAS 70 to the forefront of today’s business arena.

Second is pricing. Currently, pricing for these audits are quite scattered and all over the board. Do your due diligence to find a firm that delivers a great product at a fair, reasonable price.

Third is scope. Make sure the audit is scoped correctly. Too wide a scope, then you can have cost and time overruns. Too small a scope, then you may not have met the demands of user organizations who are requiring you to be SAS 70 Type II compliant.

Fourth. If you need more information, you can download SAS 70 sample reports by going to the SAS 70 download available option at the SAS 70 Resource Guide.