This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Could you describe the difference between an assurance standard (ISAE 3402) vs. an attestation standard (SSAE 16)?
Could you describe the difference between an assurance standard (ISAE 3402) vs. an attestation standard (SSAE 16)?
Answers
There is a post here that gives some background, but assurance includes both attestation and audit. Attestation services always report compliance to
Engagements performed under SSAE No. 16 and ISAE 3402 are very similar. For service organizations with international
Exhibit B of SSAE No. 16 identifies the differences between SSAE No. 16 and ISAE 3402. The analysis is not authoritative and was prepared by the AICPA for informational purposes only. The differences are summarized below. See the standard for additional details.
1. Intentional Acts by Service Organization Personnel
The SSAE 16 standard requires follow-up action for the service
2. Anomalies
ISAE 3402 contains a requirement that enables a service auditor to conclude that a deviation identified in tests of controls involving sampling is not representative of the population from which the sample was drawn.
3. Direct Assistance
The International Standards on Auditing and the ISAEs do not provide for use of the internal audit function for direct assistance.
4. Subsequent Events
ISAE 3402 limits the types of subsequent events that would need to be disclosed in the service auditor’s report to those that could have a significant effect on the service auditor’s report.
5. Statement Restricting Use of the Service Auditor’s Report
SSAE 16 requires the service auditor’s report to include a statement restricting the use of the report to management of the service organization, user entities of the service organization’s system, and user auditors.
6. Documentation Completion
SSAE requires the service auditor to assemble the engagement documentation in an engagement file and complete the administrative process of assembling the final engagement file on a timely basis, but also indicates that a timely basis is no later than 60 days following the service auditor’s report release date.
7. Engagement Acceptance and Continuance
SSAE 16 establishes conditions for the acceptance and continuance of an engagement to report on controls at a service organization. One of the conditions is that management acknowledge and accept responsibility for providing the service auditor with written representations at the conclusion of the engagement. ISAE 3402 does not include this requirement as a condition of engagement acceptance and continuance.
8. Disclaimer of Opinion
If management does not provide the service auditor with certain written representations, paragraph 40 of ISAE 3402 requires the service auditor, after discussing the matter with management, to disclaim an opinion. SSAE 16 requires the service auditor to take appropriate action, which may include disclaiming an opinion or withdrawing from the engagement.
9. SSAE 16 additional reporting elements
There are also additional elements of a SSAE 16 report that are not required in the ISAE 3402 report.