The Type II SAS 70 audit is the highest level of assurance that can be provided for SAS 70 audits, with this a more intense and larger audit is required. The differentiator with the SAS 70 Type II audit compared to the SAS 70 Type I audit is the audit firm conducting a SAS 70 is required to report on your controls over a period of time (normally 6 – 12 months). Due to the larger scope and higher assurance provided by a SAS 70 Type II audit, more companies require this audit from there service organizations especially since the Public Company Oversight Accounting Board (PCAOB) communicated that a SAS 70 Type II report could be utilized when relying on service organizations for Sarbanes Oxley compliance.
Not all companies need to obtain a SAS 70 Type II audit; however service organizations should evaluate their vendors and determine the appropriate audit to meet their internal compliance needs. Often a good rule of thumb is if you have publicly traded clients or government regulated industries they will require a Type II SAS 70 audit. Another thing to keep in mind when choosing a Type I vs. Type II audit is market perception; a company that has an annual SAS 70 Type II audit may appear more reputable to potential customers.
