SSAE 16 and SAS 70 have both been used extensively in the auditing world. SAS 70, or Statement on Auditing Standards No. 70, has been around since 1992. Even though SAS 70 is a US auditing standard, it has gradually become the framework for service organizations and companies located anywhere from Canada to the Far East, and from Argentina to Australia. As things are constantly changing, SAS 70 processes need to be refreshed. Therefore, in 2010 SSAE 16 was born.


What is SSAE 16?

SSAE 16, or Statement on Standards for Attestation Engagements No. 16 has been put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). While SSAE 16 was created to update and replace SAS 70, it doesn’t follow the same auditing processes and principles.

SSAE uses an attest standard that closely mirrors its international assurance equivalent, ISAE 3402, which was issued by the International Auditing and Assurance Standards Board (IAASB).

SSAE 16 and SAS 70 have several notable differences in their process.


Audit vs. Attest

SSAE 16 is an “attest” standard, falling under the attestation framework and not that of the auditing reports framework. On the other hand, SAS 70 originated under the “audit” standard. But now the term “audit” is expected to be reserved in relation to financial statement accounting standards.


System vs. Controls

SSAE 16 requires a description of the system, whereas SAS 70 asked for a description of controls. After SSAE 16 was released, practitioners have come to the firm opinion that the description of the term “system” is more expansive and detailed compared to the requirement of describing merely the controls.


Management Assertion

SAS 70 never required anything like it, but SSAE 16 calls for a written assertion level by internal management that must be made by the service organization and provided to the service auditor. Here is what the management assertion must provide:

  • Assurance that the description fairly presents the internal organization’s “system.”
  • Assurance that the control objectives were suitably designed and operating effectively.
  • Assurance that the criteria used for making these assertions were in place and consistently applied.


Enhanced Reporting Requirements

Under SSAE 16, there are enhanced reporting requirements for subservice organizations and companies. This process can be done by using the carve-out method or the inclusive method. Subservice organizational reporting is interesting to your company if you procure services from another company which then, in turn, outsources some of those tasks. As it relates to auditing requirements, SSAE 16 concerns itself with the system and controls for monitoring the effectiveness of the subservice organization.


Reporting Dates

SAS 70 Type 1 audits reported on controls in place as of a specific date. SAS 70 Type 2 audits reported on controls in place as of a specific date and on the operating effectiveness of the controls over a period of time. SSAE 16 is used to report on the system, related controls, and provide trust of operating effectiveness covering the same period of time.


Why SAS 70 Is Outdated

SAS 70 isn’t without flaws; for example, when it comes to information security reports, reviewing risk management and security programs, there are far more robust frameworks than SAS 70. Additionally, SAS 70 has a limited scope, focusing mainly on security controls, even though they only make up a small part of a successful information security program.

In fact, using SAS 70 to audit cloud service providers is questionable at best, because SAS 70 is mainly focused on financial reports. Auditors who were involved with SAS 70 were usually part of CPA firms that didn’t necessarily have information security expertise.


Ensuring Compliance with Current Auditing Standards

If your company is required to conform to SSAE 16 or previously SAS 70, then it’s important to ensure trust in compliance reports across the board. This includes the service providers and companies you’re using to support regular internal business operations.

Your document management software (DMS) should work according to your company’s internal policies and procedures to provide an assessment to help you comply with SSAE 16. Your DMS needs to follow your control level objectives. For example, if your company stipulates that only HR personnel have access to paperwork for new hires, then the design of your DMS platform should restrict access accordingly. In eFileCabinet, this example would be accomplished by setting up user-based controls. In this scenario, it shouldn’t be possible for another person (even a higher-level manager) to override these controls and gain unauthorized access.

Incidentally, eFileCabinet also allows you to follow an audit trail to create an assessment of who accessed which document and when it was altered. You can even see previous versions of documents.

Have you reviewed your organization’s systems and controls to make sure you’re conforming to SSAE 16? Are you ready to upgrade your document management software and ensure compliance going forward? eFileCabinet is compliant with SAS 70 type 2 and SSAE 16. Fill out the form on this page to start your free demo. If you have any further questions about SAS 70 or SSAE 16 compliance in regards to DMS, feel free to give us a call or start a chat.