Problem solve Get help with specific problems with your technologies, process and projects.

What is the difference between a SAS 70 Level 1 and Level 2 audit?

In this SearchSecurity.com Q&A, security management expert Mike Rothman highlights the differences between an SAS 70 Level 1 audit and a Level 2 audit.

What is a SAS 70 Level 1 audit, and how does it differ from a Level 2 audit? Why is each one necessary?

The big difference between a Level 1 and Level 2 SAS 70 audit involves proving what you've done. An auditor doing a Level 1 audit is focused on whether the controls exist, rather than when they are enforced. There is a big difference.

It is true that some organizations use a Level 1 audit as a quick-and-dirty assessment to figure out how much work needs to be done for a Level 2 audit.

On the other hand, a Level 2 audit is the real deal. The auditor comes in and assesses the operational effectiveness of the controls over a period of time. That's why it usually takes 6-12 months to get a Level 2 SAS 70 certification.

So if a Level 1 audit doesn't prove much, why do you need it? To be candid, it's pretty much a marketing tool. A lot of people associate some level of security with SAS 70, and most don't know the difference between the levels of audit. When a corporation says they're "SAS 70 certified," they're hoping for two things: that customers understand what a SAS 70 certification is, but are unaware of the two different levels.

To be clear, SAS 70 is more about controls than security. I don't believe that a SAS 70 audit replaces the need for a penetration test, which will really exercise your security systems' effectiveness against attacks.

For more information:

  • In this SearchSecurity.com Q&A, security expert Joel Dubin identifies the several identity management auditing tools on the market, and discusses which products best suit your needs.
  • Learn how internal IT audits can assist an organization in its regulatory compliance efforts.

Dig Deeper on IT security audits and audit frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.