It is true that some organizations use a Level 1 audit as a quick-and-dirty assessment to figure out how much work needs to be done for a Level 2 audit.
On the other hand, a Level 2 audit is the real deal. The auditor comes in and assesses the operational effectiveness of the controls over a period of time. That's why it usually takes 6-12 months to get a Level 2 SAS 70 certification.
So if a Level 1 audit doesn't prove much, why do you need it? To be candid, it's pretty much a marketing tool. A lot of people associate some level of security with SAS 70, and most don't know the difference between the levels of audit. When a corporation says they're "SAS 70 certified," they're hoping for two things: that customers understand what a SAS 70 certification is, but are unaware of the two different levels.
To be clear, SAS 70 is more about controls than security. I don't believe that a SAS 70 audit replaces the need for a penetration test, which will really exercise your security systems' effectiveness against attacks.
For more information:
This was first published in July 2007