SAS 70 Type I Audit Information
Type I audits include an examination of controls that have been placed in operation and how these very controls achieve the specified control objective for a stated period of time. Generally speaking, costs and completion time for a SAS 70 Type I audit are less than that of a Type II audit. Service organizations that generally have a Type I audit performed include those that have never had a SAS 70 performed compliance quickly, without having to undergo a longer audit process, such as that for a Type II.
A Type I report is only issued for a particular date. For example, a certified public accounting firm would examine a company’s controls and report on the "controls placed in operation" for a specified point in time, such as June 1, 2008. A fair amount of criticism of SAS 70 Type I audits has centered around it’s limited testing period, which many feel is inadequate to gain a sufficient understanding of a service organization’s control environment. As such, Type II audits are considered the viable choice, and they too have fallen under criticism for various reasons. Type I audits are beneficial in many ways, such as laying the framework and foundation for subsequent Type II audits in future periods, along with giving the service organization an understanding of expectations and time commitments for regulatory compliance auditing. Please note that completing consecutive Type I audits are typically rare, does not suffice for Section 404 of the Sarbanes-Oxley Act of 2002, and ultimately does not provide user organizations with the assurances they are seeking.
Performing a SAS 70 Type I audit is a structured, multi-step process, which includes a number of predefined processes and procedures that must take place to ensure its successful and timely completion. Generally, successfully completing a SAS 70 Type I and then moving towards Type II compliance for subsequent years is the most common path many service organizations choose to undertake when considering a SAS 70 roadmap for compliance that has long-term value.