The preferred reports for service organizations with direct impact on internal controls over financial reporting of their clients are the SSAE 16 (Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was issued by the Auditing Standards Board of the American Institute of Certified Public Accountants) and ISAE 3402 (International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board). While these reporting options were designed to aligned, there is a common misconception that an SSAE 16 examination and an ISAE 3402 examination are exactly the same. A careful review shows that there are actually nine key differences that make ISAE 3402 distinct from an SSAE 16.
The Differences Between ISAE 3402 and SSAE 16
- Intentional Acts by Service Organization Personnel
SSAE 16 requires the service auditor to investigate any noted deviations that could have been caused by an intentional act of service organization personnel. It also requires that the auditor receives written representation from service organization management detailing any actual, suspected or alleged intentional acts that could affect the fair presentation of management’s description of the system. An example of an intentional act could be something such as an employee committing fraud.
While both standards require the investigation of any deviation’s identified, the ISAE 3402 does not explicitly require auditors to obtain the written representations.
An operating anomaly is something that deviates from the standard. ISAE 3402 contains a requirement that allows a service auditor to conclude that a deviation that is identified when testing a sample of the control can be considered an anomaly. This is because of the idea that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn.
On the other hand, SSAE 16 treats all deviations in the same manner, rather than as an anomaly.
- Direct Assistance
SSAE 16 requires that the service auditor applies U.S. audit standards guidance when the service auditor uses members of the service organization’s internal audit function to provide direct assistance.
ISAE 3402, on the other hand, does not provide for use of the internal audit function for direct assistance.
- Subsequent Events
SSAE 16 requires that the auditor discloses any event that could be significant in order to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended. However, ISAE 3402 limits the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report.
Following the release of the report, the SSAE 16 also requires the service auditor to adapt and apply the appropriate U.S. audit standards guidance if they become aware of conditions that existed at the report date and could have affected management’s assertion had the service auditor known about them.
- Statement Restricting Use of the Service Auditor’s Report
SSAE 16 requires that the service auditor’s report include a statement restricting the use of the report to management of the service organization, user entities, and user auditors.
ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities, and user auditors, but does not require a statement restricting its use.
- Documentation Completion
ISAE 3402 requires that the service auditor assembles the appropriate documentation in an engagement file and complete assembly after the completion of the service auditor’s report.
SSAE 16 also requires this measure but has a 60-day timeline following the service auditor’s report release date.
- Engagement Acceptance and Continuance
SSAE 16 establishes that management acknowledges and accept the responsibility of providing the service auditor with written representations at the conclusion of the engagement.
ISAE 3402 does not require this acknowledgment.
- Disclaimer of Opinion
If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor disclaim an opinion after discussing the matter with management. If this were to occur, the auditor is required to take action.
SSAE 16 requires that the service auditor takes action as well in the same manner or by withdrawing from the engagement. The SSAE 16 also contains certain incremental requirements when the auditor plans to disclaim an opinion.
- Elements of the Section 801 Report That Are Not Required in the ISAE 3402 Report
SSAE 16 contains certain requirements that are incremental to those in ISAE 3402. These requirements are as follows:
- The identification of any information included in the documentation that is not covered by the service auditor’s report.
- A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the achievement of the control objectives.
- A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives.
- A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and suitability of the control objectives stated in the description.
While both SSAE 16 and ISAE 3402 are designed to accomplish the same goal in terms of reporting the establishment of effectively designed controls over financial reporting, some service organizations may need to provide reports to their clients (user entities) under each standard. Often this is driven by the need to perform services within and outside of the United States. For those service organizations, the U.S. based standard allows for SSAE 16 reporting to be performed in accordance with the ISAE 3402 standards, often referred to as a combined report.
When considering the reporting options that makes sense for your organization, it is important to work with an experienced assessor who can understand the unique needs of your company. A-LIGN has conducted more than 4,000 SOC 1, SOC 2 and ISAE 3402 reports and understands the challenges that each can present for an organization seeking a report. Contact us now to find out more about how A-LIGN can help at firstname.lastname@example.org or call 888-702-5446.