Statement on Auditing Standards (SAS) 70 vs Statement on Standards for Attestation Engagements (SSAE) 16
SAS70 is a report commonly used by an entity to gain insight into their third-party service provider’s internal controls as they relate to financial reporting. SAS70 gained wide-spread use with the passage of the Sarbanes-Oxley 404 Act however, as of June 15, 2011 the American Institute of Certified Public Accountants (AICPA) replaced the SAS70 report with the SSAE 16 report as the authoritative guidance for reporting on service organizations. Similar to the SAS70 report, there are two types of SSAE 16 service auditor reports; Type I and Type II.
In a Type I report the independent auditor (e.g., the service auditor of the company that provides services to other entities) expresses an opinion whether the service organization management’s description of its systems and controls were fairly presented and whether such controls were suitably designed to achieve control objectives as of a specific date.
In a Type II report the independent auditor expresses an opinion on the same two components evaluated on a Type I report and in addition to that, an opinion on whether the stated controls operated effectively throughout the specified period (minimum of six months).
SSAE 16 vs International Standard on Assurance Engagements (ISAE) 3402
For more than 18 years, SAS70 was the global de facto standard for reporting of controls at service organizations. With the US release of the SSAE 16 service organization reporting standard, the International Auditing and Assurance Standards Board (IAASB) developed a sister reporting standard, called ISAE 3402. Similar to the SSAE 16, ISAE 3402 is effective for service auditor’s assurance reports covering periods ending on or after June 15, 2011. Both standards share a common framework and have migrated to more globally-accepted accounting standards, such as that of the International Financial Reporting Standards (IFRS).
SAS70 vs SSAE 16 vs ISAE 3402
The SAS70 standard only called for a description of “controls” and did not require a statement of assertion. The SSAE 16 “attestation” standard and the ISAE 3402 “assurance” standard both require management to provide a description of its “system” and a written statement of assertion. As noted earlier, a Type 1 and Type II report further distinguish management’s statement of assertion.
Currently, various nationally recognized standards are used in conjunction with SSAE 16 / ISAE 3402. A few standard setting organizations by country are listed below:
US – Statement on Standard for Attestation Engagements (SSAE) 16
CA – Canadian Institute of Chartered Accountants (CICA) 5970
UK – Audit and Assurance Faculty Standard (AAF) 01/06
AU – Guidance Statement (GS) 007
HK – HKSA Statements – Auditing Practice Note 860.2
JP – Audit Standards Committee Report No. 18
DE (Germany) – IDW PS 951
Standard setting organizations within each country are encouraged to either directly adopt ISAE 3402 or amend their existing standard to closely align with ISAE 3402. It will be interesting to see if ISAE 3402 will be looked upon as the de-facto global standard for reporting on service organizations.
UPDATE: As of May 1, 2017, SSAE 16 was replaced by SSAE 18. The new standard issues a number of IT-centric reports to enhance monitoring requirements and cut down on redundancy. We developed a whitepaper to help you navigate the new requirements, determine the pertinent depth and breadth of controls, and identify the appropriate report for your specific needs. Request your complimentary copy at [email protected]
