SAS 70 and SSAE 16 Compliance

SAS 70 provides standards for internal controls and the issuance of a service auditor’s internal control report for organizations such as insurance companies, trust companies, data hosting companies, and medical claims companies. A service company may provide outsourcing services that impact the control environment of its customers. It is vital for a customer of a service organization to have a reliable statement on the management of its controls and quality assurance from its service company.
There are two types of service auditor reports:

  • Type I SAS-70 reports state the proper design of all relevant controls. A Type I certification is the most basic certification.
  • Type II SAS-70 reports not only state the proper design, but also state that all controls are operating effectively. The Type II certification is the most advanced SAS-70 certification.

BWise provides a comprehensive, web-based and integrated GRC solution that enables service organizations to plan and create Type I or Type II service auditor’s internal control reports. BWise also enables and tracks compliance with the new ISAE 3402 and SSAE 16 standard’s requirements:

  • Management of the service organization will prepare a “Description of its System” (instead of just the controls) and will need to use suitable criteria in preparing the description
  • Management of the service organization will prepare a written assertion to accompany its description; the service auditor will then attest to management’s assertion
  • The service organization is responsible for identifying risks that could threaten the achievement of its controls objectives

Best practice for SAS 70 compliance

BWise Governance, Risk and Compliance (GRC) management software enables the design and arrangement of internal controls and their assessment as required by SAS 70, ISAE 3402 and SSAE 16. Specifically, BWise has developed a best practice approach to SAS 70. It allows internal controls and their framework to be setup, those controls to be regularly tested and any associated risks to be found.


Using BWise and the SAS 70 template, compliance with all internal control audit requirements are accomplished in the most cost effective and efficient way. Audits can be performed rapidly and efficiently, with all required information readily available, saving substantial audit costs. In addition, BWise offers a completely integrated GRC software platform, with components that can not only assist with internal controls, but also with risk management and embedding governance and compliance processes into your organization.

More information

Select a GRC Platform? 

Download the brochure: Top 7 Considerations When Evaluating GRC Software - A guide to selecting the best GRC platform for your company.

Role-based software solutions

Download the brochures about the software solutions we offer.

More information about Governance, Risk and Compliance can be found in our GRC Library.


For more information, contact us.

Scroll up