SAS 70 Type I and Type II Audits for Service Organizations

SAS 70 Type I and Type II audits have increased exponentially over the past five years, thanks in large part to the passage of the Sarbanes Oxley Act of 2002. Section 404 of the Sarbanes Oxley Act mandates that “management” has an obligation to inquire and inspect on all controls considered vital to the organization as a whole, but more importantly, to it’s financial reporting process. “Management”, that is, are the publicly traded companies in the United States that outsource a large number of critical activities to third party service providers, known as service organizations.

So what are the important elements to know and understand about SAS 70? Many, but for starters, it’s good to understand the difference between a Type I and Type II audit, so here’s a quick summary of what you need to know.

SAS 70 Type I audits report on controls placed in operation for a single date, such as December 11, 2008. Type I audits are typically seen as the starting blocks before moving towards a Type II. Type II audit are a “report on controls placed in operation and tests of operating effectiveness” for a stated test period, generally anywhere from six months to one year. SAS 70 Type II audits are becoming the standard, as Type I audits have limited usability from a compliance perspective.

To read more about Statement on Auditing Standard No. 70. , interested readers review in-depth information on the following topics:

• Definition of SAS 70
• History and Overview of the auditing standard
• Other important Facts
• SAS 70 Benefits
• Criticism of the auditing standard
• What’s in a Report
• Download a Sample SAS 70 Report