SAS 70 Type II Audit
By Ben Osbrach, National Risk Advisory Leader
The Type II SAS 70 audit is the highest level of assurance that can be provided for SAS 70 audits, with this a more intense and larger audit is required. The differentiator with the SAS 70 Type II audit compared to the SAS 70 Type I audit is the audit firm conducting a SAS 70 is required to report on your controls over a period of time (normally 6 – 12 months). Due to the larger scope and higher assurance provided by a SAS 70 Type II audit, more companies require this audit from there service organizations especially since the Public Company Oversight Accounting Board (PCAOB) communicated that a SAS 70 Type II report could be utilized when relying on service organizations for Sarbanes Oxley compliance.
Not all companies need to obtain a SAS 70 Type II audit; however service organizations should evaluate their vendors and determine the appropriate audit to meet their internal compliance needs. Often a good rule of thumb is if you have publicly traded clients or government regulated industries they will require a Type II SAS 70 audit. Another thing to keep in mind when choosing a Type I vs. Type II audit is market perception; a company that has an annual SAS 70 Type II audit may appear more reputable to potential customers.