SAS 70 and SSAE 16 Compliance
The Statement on Auditing Standards 70, known as SAS 70, is an auditing standard, officially titled “Reports on the Processing of Transactions by Service Organizations.” It was created by the American Institute of Certified Public Accountants (AICPA). SAS 70 is recognized worldwide as a standard of quality for service organizations. The standard has recently been updated in the United States as SSAE 16 and internationally as ISAE 3402.
SAS 70 provides standards for internal controls and the issuance of a service auditor’s internal control report for organizations such as insurance companies, trust companies, data hosting companies, and medical claims companies. A service company may provide outsourcing services that impact the control environment of its customers. It is vital for a customer of a service organization to have a reliable statement on the management of its controls and quality assurance from its service company.
There are two types of service auditor reports:
- Type I SAS-70 reports state the proper design of all relevant controls. A Type I certification is the most basic certification.
- Type II SAS-70 reports not only state the proper design, but also state that all controls are operating effectively. The Type II certification is the most advanced SAS-70 certification.
BWise provides a comprehensive, web-based and integrated GRC solution that enables service organizations to plan and create Type I or Type II service auditor’s internal control reports. BWise also enables and tracks compliance with the new ISAE 3402 and SSAE 16 standard’s requirements:
- Management of the service organization will prepare a “Description of its System” (instead of just the controls) and will need to use suitable criteria in preparing the description
- Management of the service organization will prepare a written assertion to accompany its description; the service auditor will then attest to management’s assertion
- The service organization is responsible for identifying risks that could threaten the achievement of its controls objectives
Best practice for SAS 70 compliance
BWise Governance, Risk and Compliance (GRC) management software enables the design and arrangement of internal controls and their assessment as required by SAS 70, ISAE 3402 and SSAE 16. Specifically, BWise has developed a best practice approach to SAS 70. It allows internal controls and their framework to be setup, those controls to be regularly tested and any associated risks to be found. More information.