What's SSAE 16?
According to the SSAE 16
Resource Guide, the definition is:
"The Statement on Standards for Attestation Engagements (SSAE) No. 16 is
an attestation standard put forth by the Auditing Standards Board (ASB) of the
American Institute of Certified Public Accountants (AICPA) that addresses
engagements undertaken by a service auditor for reporting on controls at
organizations (i.e., service organizations) that provide services to user
entities, for which a service organization's controls are likely to be relevant
to a user entities internal control over financial reporting (ICFR)."
SSAE 16 and SAS 70
There are a few main differences of the two, including:
- SSAE 16 is an attestation standard, while SAS 70
is an auditing standard. This falls in line with ISAE 3402 International
- For reporting, SSAE 16 requires descriptions of
an organization's system and a written assertion by management, while SAS 70
only requires a description of the organization's controls and no written
- The main difference is that SSAE 16 is more
comprehensive and covers more than previously with SAS 70.
Differences in Service
Organization Control (SOC) 1, 2 and 3 Reports
The SOC 1 standard, which superseded the SAS 70 reporting
standard and follows SSAE 16, details information on the controls of a service organization.
These controls maintain relevance to internal control over financial reporting.
This was the previous standard with the superseded SAS 70.
SOC 2 reports test and report on the design and
effectiveness of an organization's controls. The focus isn't on financial, but
instead on controls related to areas including:
- Processing Integrity
This report is based on the Trust Services Principles and
performed in accordance with the AICPAs AT101.
Also under the Trust Services Principles and AT101, SOC 3 is
for general use and reports on the organization's ability to achieve the Trust
Services Principles’ criteria. SOC 3 reports do not contain a detailed
description of controls provided by the service organization but state the
compliance status of the service organization against the selected Trust
SSAE 16, SAS 70 and ISAE 3402
The International Standard on Assurance Engagements (ISAE)
is the international framework around which SSAE 16 was built. Although they
are similar, they do have differences which SSAE 16 pursues, as ISAE 3402
- Intentional acts from service organization
- Direct assistance
- And more…
Concerning the SAS 70, there are two main differences between
SSAE 16 and ISAE 3402:
- SAS 70 doesn't require a written assertion from
- SAS 70 doesn't require a description of the