Problem solve Get help with specific problems with your technologies, process and projects.

What is the difference between a SAS 70 Level 1 and Level 2 audit?

In this SearchSecurity.com Q&A, security management expert Mike Rothman highlights the differences between an SAS 70 Level 1 audit and a Level 2 audit.

What is a SAS 70 Level 1 audit, and how does it differ from a Level 2 audit? Why is each one necessary?

The big difference between a Level 1 and Level 2 SAS 70 audit involves proving what you've done. An auditor doing a Level 1 audit is focused on whether the controls exist, rather than when they are enforced. There is a big difference.

It is true that some organizations use a Level 1 audit as a quick-and-dirty assessment to figure out how much work needs to be done for a Level 2 audit.

On the other hand, a Level 2 audit is the real deal. The auditor comes in and assesses the operational effectiveness of the controls over a period of time. That's why it usually takes 6-12 months to get a Level 2 SAS 70 certification.

So if a Level 1 audit doesn't prove much, why do you need it? To be candid, it's pretty much a marketing tool. A lot of people associate some level of security with SAS 70, and most don't know the difference between the levels of audit. When a corporation says they're "SAS 70 certified," they're hoping for two things: that customers understand what a SAS 70 certification is, but are unaware of the two different levels.

To be clear, SAS 70 is more about controls than security. I don't believe that a SAS 70 audit replaces the need for a penetration test, which will really exercise your security systems' effectiveness against attacks.

For more information:

  • In this SearchSecurity.com Q&A, security expert Joel Dubin identifies the several identity management auditing tools on the market, and discusses which products best suit your needs.
  • Learn how internal IT audits can assist an organization in its regulatory compliance efforts.
This was last published in July 2007

Dig Deeper on IT security audits and audit frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.