Ask the Expert

What is the difference between a SAS 70 Level 1 and Level 2 audit?

What is a SAS 70 Level 1 audit, and how does it differ from a Level 2 audit? Why is each one necessary?

    Requires Free Membership to View

The big difference between a Level 1 and Level 2 SAS 70 audit involves proving what you've done. An auditor doing a Level 1 audit is focused on whether the controls exist, rather than when they are enforced. There is a big difference.

It is true that some organizations use a Level 1 audit as a quick-and-dirty assessment to figure out how much work needs to be done for a Level 2 audit.

On the other hand, a Level 2 audit is the real deal. The auditor comes in and assesses the operational effectiveness of the controls over a period of time. That's why it usually takes 6-12 months to get a Level 2 SAS 70 certification.

So if a Level 1 audit doesn't prove much, why do you need it? To be candid, it's pretty much a marketing tool. A lot of people associate some level of security with SAS 70, and most don't know the difference between the levels of audit. When a corporation says they're "SAS 70 certified," they're hoping for two things: that customers understand what a SAS 70 certification is, but are unaware of the two different levels.

To be clear, SAS 70 is more about controls than security. I don't believe that a SAS 70 audit replaces the need for a penetration test, which will really exercise your security systems' effectiveness against attacks.

For more information:

  • In this SearchSecurity.com Q&A, security expert Joel Dubin identifies the several identity management auditing tools on the market, and discusses which products best suit your needs.
  • Learn how internal IT audits can assist an organization in its regulatory compliance efforts.
  • This was first published in July 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: