SSAE 16 and ISAE 3402 share many similarities indeed, both being standards put forth that have fundamentally reshaped the regulatory compliance landscape for reporting on controls at service organizations. Come June 15, 2011, the well-recognized SAS 70 auditing standard will effectively be replaced by SSAE 16, allowing the new U.S. standard along with ISAE 3402 and other region specific standards to become the dominant platforms for reporting on controls at service organizations.
SSAE 16 and ISAE 3402 are the result of a collaborative effort put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC) and the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Both entities closely aligned each of their respective standards in an attempt to follow a growing move towards more international, globally accepted accounting standards. The IAASB took the lead in establishing the new ISAE 3402 standard, with the ASB following closely behind and adopting a "convergence" ideology in developing the framework for SSAE 16 that was to closely mirror ISAE 3402.
The two most important elements that distinguish SSAE 16 and ISAE 3402 from the SAS 70 auditing standard is that management of the service organization must provide a description of its "system" along with a written assertion. This will no doubt require careful planning and consideration from the service organization for ensuring these reporting requirements are met. And while the SAS 70 auditing standard called for a description of “controls”, the SSAE 16 and ISAE 3402 standards call for a description of the service organization’s “system”, which can be quite broad and extensive when reading the final language for the SSAE 16 and ISAE 3402 standards. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
However, there are indeed a number of differences between SSAE 16 and ISAE 3402, and a qualified service auditor can explain these to your organization, if necessary. Most of these difference can be looked upon as technical in nature, as the overriding platform of SSAE 16 and ISAE 3402 are vastly similar.
SSAE 16 and ISAE 3402 will effectively become the dominant standards used for reporting on controls at service organizations. It is unclear at this point what role any of the existing country and regional specific standards will have. SAS 70 is not the only country specific standard, as Japan, Canada, and the United Kingdom have their own also.
Call Christopher G. Nickell, CPA, to learn more about NDB’s competitive, fixed-fee pricing for SSAE 16 Type 1 and Type 2 reporting. 1-800-277-5415, ext. 706.