Types of SAS 70 Services

Posted on 03.05.12

This blog is a re-posting from June 2009

Now that we’ve discussed What is a SAS 70 and who needs it , let’s talk a bit more about the different types of SAS 70s and the time periods a report might cover.

A Type I SAS 70 assesses the design of internal controls at the service organization.  A Type I is a point in time report, meaning it does not provide coverage over a period of time.

A Type II SAS 70 assesses the design, as well as tests the operating effectiveness of the internal controls at the service organization.  A Type II report covers a defined time frame – usually 6, 9, or 12 months.  These generally take more time to complete, because of the testing over the period.  That being said, because there is evidence that controls are in fact working properly, these reports hold more weight and are most often sought after by customers, auditors, and potential future customers.

SAS 70 Readiness assesses a company’s preparedness for a SAS 70 audit by identifying internal control weaknesses prior to the audit being performed.  If a company is entering the first year of completing a SAS 70, these are often performed so that the actual SAS 70 has a clean opinion.  An approach to reduce the costs of a first year SAS 70 audit is to perform a Readiness Review and a Type I audit in the first year.  Then in subsequent years, perform a Type II.

Does your organization provide an “outsourced” service to companies?  
Have your customers requested to see a SAS 70 audit report?