SAS 70/SSAE 16/ISAE 3402 Comparison

The chart below provides the nature of the standard, compares the written assertions, describes controls and systems, and explains the audit service for SAS 70, SSAE 16, and ISAE 3402.

TOPIC

SAS 70

SSAE 16

ISAE 3402

Nature of the Standard

US Audit Standard AICPA Attestation Standard International Assurance Standard

Written Assertions

A written assertion by management is not required. A written assertion by management is required and must include the suitable criteria used for its assessment.
For service organizations that use subservice organizations and if the inclusive method is used, the audit report does not require an assertion by a subservice organization. For service organizations that use subservice organizations and if the inclusive method is used, the audit report must include a written assertion by the subservice organization.

Description of Controls/System

The service organization must provide a description of controls. The service organization must provide a description of its system as designed and implemented, which is a broader description than only the controls.
The service auditor’s report must contain a description of control objectives and related controls, including complementary user controls.
The service auditor’s report must contain aspects of the service organization’s control environment, risk assessment process, information and communications systems, control activities and monitoring controls (COSO Internal Control Framework).

Service Auditor’s Reports

Type I and Type II reports can be issued by service auditors and services provided by subservice organizations may be included (inclusive method) or excluded (carve-out method).
For Type II reports, the opinion on fair presentation of the system and suitability of design is as of a point in time. For Type II reports, the opinion on fair presentation of the system and suitability of design is for the period covered by the report.
Service auditor reports under SAS 70, SSAE 16, or ISAE 3402 are

  • not applicable to examinations of controls over matters other than financial reporting.
  • do not represent a “certification” of any kind and should be used primarily as an auditor-to-auditor communication tool.
  • are restricted use reports for the service organization, user entities and user auditors.

Intentional Acts by Service Organization Personnel

Requires an assessment of the risk and impact on the report. Does not require an assessment of the risk and impact on the report.

Sampling Deviations

All deviations should be considered consistently. Deviations can be treated as “anomalies” under certain circumstances.

Internal Audit

Permits the use of Internal Audit function but does not require disclosure of the work performed by the internal audit function or testing performed on that work by the service auditor. Explicitly discusses use of Internal Audit function and requires the service auditor to describe the work performed by the internal audit function and procedures used to test that work. Does not specifically discuss the use of the Internal Audit function, but separate “audits” performed by internal audit that are relevant to the service auditor’s activities can be relied upon.

Subsequent Events

Must disclose subsequent events that occurred subsequent to the period covered by the service auditor’s report but before the date of the service auditor’s report. Must disclose two types of events:

  • Events that take place after the period of audit but before the date of the service auditor’s report
  • Events that take place following the date of the service auditor’s report
Must disclose only events that take place after the period of the audit but before the date of the service auditor’s report.
Requires disclosure of subsequent events that would have a significant effect on user organizations. Requires disclosure of subsequent events if user organizations would otherwise be misled. Requires disclosure of subsequent events that have a significant effect on the report.