Wait, there is more than one kind?

Actually there are two types of SAS 70 audit reports, Type I and Type II. Type I is a ‘report on controls placed in operation’. Type II is a ‘report on controls placed in operation and tests of operating effectiveness’. The only difference is the additional testing of the effectiveness of established operations.

A Type I report states the auditor’s opinion on the service provider’s ‘controls’ or policies and procedures at a particular point in time (the time of the audit). Basically it gives a good idea of whether the controls are fairly presented, whether they are well designed to achieve the desired objectives, and whether they were in place at the time of the audit. The Type I report essentially provides a quick snapshot idea of a service provider’s policies and procedures as they are defined by the service provider in question.

A Type II report is similar to a Type I report but expands the scope from a single auditing instance to a longer period of time, such as 6 or 12 months to provide a more complete idea of whether the service provider is really complying with their own policies and procedures on a day to day basis. This kind of report can be much more revelatory to most groups because almost anyone can quickly fake up some compliance efforts for a day while the auditor is in the office.