• About BWise
  • The Company
  • Mission and Values
  • Growth and Strategy
  • Message from the CEO
  • Management
    • Luc Brandts, CTO
    • Tonny Boerboom, COO
    • Rob van Straten, Global Head of Sales
    • Theo Marneweck, CFO
    • Harry Roelfsema, VP GPS
    • Robert Pijselman, CEO
  • Supervisory Board
    • Wim H. Heijting
    • Anna Ewing
    • Lars Ottersgard
  • Career Opportunities
  • BWise Blog
  • GRC Library
• Industries
  • Energy & Utilities
  • Financial Services
  • Insurance
  • Manufacturing
  • Pharmaceuticals & Chemicals
  • Services
  • Other Industries
• GRC Challenges
  • Case Management
  • Convergence of GRC
  • Continuous Monitoring/SoD
  • Corporate Governance
  • Corporate Social Responsibility
  • Enterprise Risk
  • Financial Governance
  • Internal Audit
  • IT Governance
  • Operational Risk
  • Process Standardization
  • Regulatory Compliance
    • Basel III
    • Bill 198
    • Conflict Minerals
    • FERC
    • Foreign Corrupt Practices Act
    • MiFID
    • Model Audit Rule (MAR)
    • NERC
    • Sarbanes-Oxley
    • SAS 70 and SSAE 16
    • UK Bribery Act
    • Solvency II
    • Turnbull
    • Unified Compliance Framework
  • Soft Control Testing
  • Sustainability Performance Management
  • Vendor Risk Management
• Solutions & Services
  • GRC Platform
    • Risk Management
    • Internal Control
    • Internal Audit
    • Compliance and Policy Management
    • IT GRC
    • Sustainability Performance Management
    • Process Management
    • Business Continuity Management
    • Continuous Monitoring/SoD
    • Continuous Auditing
  • Templates
    • Basel III
    • COBIT™
    • Model Audit Rule (MAR)
    • MiFID
    • Solvency II
    • SAS 70 & SSAE 16
    • Soft Control Testing
    • IT Control & UCF
  • Software as a Service
  • Implementation Methodology
  • Business Consulting
  • BWise Academy
    • GRC Training Program
    • IR Training Program
• Customers
  • Customer references
    • AEGON
    • AG2R LA MONDIALE
    • Ahold
    • DSM
    • FMP
    • France Telecom
    • Headwaters
    • Robeco
    • Roche
    • Swiss Life
    • TNT
  • Customer events
    • NASDAQ Closing Bell 2012
    • DACH Customer Summit 2010
    • French Customer Summit 2009
    • North American Customer Summit 2009
    • North American Customer Summit 2008
    • Trustday 2008
• Partners
  • Partner Program
• News & Events
  • News
  • Events
  • Webinars
  • News Room
• Contact
  • Offices
  • Support

Follow Us

• GRC Challenges
• Case Management
• Convergence of GRC
• Continuous Monitoring/SoD
• Corporate Governance
• Corporate Social Responsibility
• Enterprise Risk
• Financial Governance
• Internal Audit
• IT Governance
• Operational Risk
• Process Standardization
• Regulatory Compliance
  • Basel III
  • Bill 198
  • Conflict Minerals
  • FERC
  • Foreign Corrupt Practices Act
  • MiFID
  • Model Audit Rule (MAR)
  • NERC
  • Sarbanes-Oxley
  • SAS 70 and SSAE 16
  • UK Bribery Act
  • Solvency II
  • Turnbull
  • Unified Compliance Framework
• Soft Control Testing
• Sustainability Performance Management
• Vendor Risk Management

SAS 70 and SSAE 16 Compliance

The Statement on Auditing Standards 70, known as SAS 70, is an auditing standard, officially titled “Reports on the Processing of Transactions by Service Organizations.” It was created by the American Institute of Certified Public Accountants (AICPA). SAS 70 is recognized worldwide as a standard of quality for service organizations. The standard has recently been updated in the United States as SSAE 16 and internationally as ISAE 3402.

SAS 70 provides standards for internal controls and the issuance of a service auditor’s internal control report for organizations such as insurance companies, trust companies, data hosting companies, and medical claims companies. A service company may provide outsourcing services that impact the control environment of its customers. It is vital for a customer of a service organization to have a reliable statement on the management of its controls and quality assurance from its service company.

There are two types of service auditor reports:

• Type I SAS-70 reports state the proper design of all relevant controls. A Type I certification is the most basic certification.
• Type II SAS-70 reports not only state the proper design, but also state that all controls are operating effectively. The Type II certification is the most advanced SAS-70 certification.

BWise provides a comprehensive, web-based and integrated GRC solution that enables service organizations to plan and create Type I or Type II service auditor’s internal control reports. BWise also enables and tracks compliance with the new ISAE 3402 and SSAE 16 standard’s requirements:

• Management of the service organization will prepare a “Description of its System” (instead of just the controls) and will need to use suitable criteria in preparing the description
• Management of the service organization will prepare a written assertion to accompany its description; the service auditor will then attest to management’s assertion
• The service organization is responsible for identifying risks that could threaten the achievement of its controls objectives

Best practice for SAS 70 compliance

BWise Governance, Risk and Compliance (GRC) management software enables the design and arrangement of internal controls and their assessment as required by SAS 70, ISAE 3402 and SSAE 16. Specifically, BWise has developed a best practice approach to SAS 70. It allows internal controls and their framework to be setup, those controls to be regularly tested and any associated risks to be found. More information.