Could you describe the difference between an assurance standard (ISAE 3402) vs. an attestation standard (SSAE 16)?

Engagements performed under SSAE No. 16 and ISAE 3402 are very similar. For service organizations with international operations or international clients, there may be a benefit to obtaining a report indicating that the examination was performed in accordance with AICPA and IAASB standards. An engagement that is performed in accordance with both sets of standards would not be expected to involve a substantially different examination scope or approach than an individual SSAE No. 16 engagement would.

Exhibit B of SSAE No. 16 identifies the differences between SSAE No. 16 and ISAE 3402. The analysis is not authoritative and was prepared by the AICPA for informational purposes only. The differences are summarized below. See the standard for additional details.

1. Intentional Acts by Service Organization Personnel
The SSAE 16 standard requires follow-up action for the service auditor when he or she obtains information about intentional acts. The SSAE 16 standard also requires the service auditor to request written representations from management that it has disclosed to the service auditor knowledge of any actual, suspected, or alleged intentional acts by management or the service organization’s employees, of which it is aware, that could adversely affect the fairness of the presentation of management’s description of the service organization’s system or the completeness or achievement of the control objectives stated in the description.

2. Anomalies
ISAE 3402 contains a requirement that enables a service auditor to conclude that a deviation identified in tests of controls involving sampling is not representative of the population from which the sample was drawn.

3. Direct Assistance
The International Standards on Auditing and the ISAEs do not provide for use of the internal audit function for direct assistance.

4. Subsequent Events

ISAE 3402 limits the types of subsequent events that would need to be disclosed in the service auditor’s report to those that could have a significant effect on the service auditor’s report.

5. Statement Restricting Use of the Service Auditor’s Report
SSAE 16 requires the service auditor’s report to include a statement restricting the use of the report to management of the service organization, user entities of the service organization’s system, and user auditors.

6. Documentation Completion
SSAE requires the service auditor to assemble the engagement documentation in an engagement file and complete the administrative process of assembling the final engagement file on a timely basis, but also indicates that a timely basis is no later than 60 days following the service auditor’s report release date.

7. Engagement Acceptance and Continuance
SSAE 16 establishes conditions for the acceptance and continuance of an engagement to report on controls at a service organization. One of the conditions is that management acknowledge and accept responsibility for providing the service auditor with written representations at the conclusion of the engagement. ISAE 3402 does not include this requirement as a condition of engagement acceptance and continuance.

8. Disclaimer of Opinion
If management does not provide the service auditor with certain written representations, paragraph 40 of ISAE 3402 requires the service auditor, after discussing the matter with management, to disclaim an opinion. SSAE 16 requires the service auditor to take appropriate action, which may include disclaiming an opinion or withdrawing from the engagement.

9. SSAE 16 additional reporting elements
There are also additional elements of a SSAE 16 report that are not required in the ISAE 3402 report.