SSAE 16 and SAS 70 have both been used extensively in the auditing world. SAS 70, or Statement on Auditing Standards No. 70, has been around since 1992. Even though SAS 70 is a US auditing standard, it has gradually become the framework for service organizations located anywhere from Canada to the Far East, and from Argentina to Australia. As things are constantly changing, SAS 70 needed to be refreshed. Therefore, in 2010 SSAE 16 was born.
What is SSAE 16?
SSAE 16, or Statement on Standards for Attestation Engagements No. 16 has been put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). While SSAE 16 was created to update and replace SAS 70, it doesn’t follow the same auditing principles.
SSAE uses an attest standard that closely mirrors its international assurance equivalent, ISAE 3402, which was issued by the International Auditing and Assurance Standards Board (IAASB).
SSAE 16 and SAS 70 have several notable differences.
Audit vs. Attest
SSAE 16 is an “attest” standard, falling under the attestation framework and not that of the auditing framework. On the other hand, SAS 70 originated under the “audit” standard. But now the term “audit” is expected to be reserved in relation to financial statement accounting standards.
System vs. Controls
SSAE 16 requires a description of the system, whereas SAS 70 asked for a description of controls. After SSAE 16 was released, practitioners have largely agreed that description of the term “system” is more expansive and detailed compared to the requirement of describing merely the controls.
SAS 70 never required anything like it, but SSAE 16 calls for a written assertion by management that must be made by the service organization and provided to the service auditor. Here is what the management assertion must include:
- Assurance that the description fairly presents the organization’s “system.”
- Assurance that the control objectives were suitably designed and operating effectively.
- Assurance that the criteria used for making these assertions were in place and consistently applied.
Enhanced Reporting Requirements
Under SSAE 16, there are enhanced reporting requirements for subservice organizations. This can be done by using the carve-out method or the inclusive method. Subservice organizational reporting is of interesting to your company if you procure services from another company which then in turn outsources some of those tasks. As it relates to auditing requirements, SSAE 16 concerns itself with the system and controls for monitoring the effectiveness of the subservice organization.
SAS 70 Type 1 audits reported on controls in place as of a specific date. SAS 70 Type 2 audits reported on controls in place as of a specific date and on the operating effectiveness of the controls over a period of time. SSAE 16 is used to report on the system, related controls, and operating effectiveness covering the same period of time.
Why SAS 70 Is Outdated
SAS 70 isn’t without flaws; for example, when it comes to information security, reviewing risk management and security programs, there are far more robust frameworks than SAS 70. Additionally, SAS 70 has a limited scope, focusing mainly on security controls, even though they only make up a small part of a successful information security program.
In fact, using SAS 70 to audit cloud service providers is questionable at best, because SAS 70 is mainly focused on financial reporting. Auditors who were involved with SAS 70 were usually part of CPA firms that didn’t necessarily have information security expertise.
Ensuring Compliance with Current Auditing Standards
If your company is required to conform to SSAE 16 or previously SAS 70, then it’s important to ensure compliance across the board. This includes the service providers you’re using to support regular business operations.
Your document management software (DMS) should work according to your company’s policies and procedures to help you comply with SSAE 16. Your DMS needs to follow your control objectives. For example, if your company stipulates that only HR personnel have access to paperwork for new hires, then your DMS should restrict access accordingly. In eFileCabinet, this example would be accomplished by setting up user-based controls. In this scenario, it shouldn’t be possible for another person (even a higher-level manager) to override these controls and gain unauthorized access.
Incidentally, eFileCabinet also allows you to follow an audit trail to find out who accessed which document and when it was altered. You can even see previous versions of documents.
Have you reviewed your organization’s systems and controls to make sure you’re conforming to SSAE 16? Are you ready to upgrade your document management software and ensure compliance going forward? eFileCabinet is compliant with SAS 70 type 2 and SSAE 16. Fill out the form on this page to start your free demo. If you have any further questions about SAS 70 or SSAE 16 compliance in regards to DMS, feel free to give us a call or start a chat.