SSAE 16 and ISAE 3402

Using a risk based approach to

provide value added services
across non regulated sectors.

For reporting periods on or after

June
the widely
used SAS
report on controls at a service organization
will no longer apply. It has been superseded by SSAE
in the US. Internationally the equivalent is ISAE
.

1 . T h e p ur p o s e o f S A S 70
Statements on Auditing Standards No. 70 (SAS 70),
which was developed in 1992, is a U.S. standard that
is governed by the American Institute of Certified
Public Accountants (AICPA). An audit performed
under this standard is designed to produce a report
for use by the auditors of the clients of a service
organization in planning a financial statement audit
of the client of the service organization. Because the
service organisations client has outsourced part of
its processing to the service organization, a portion
of the clients internal control is located at the service
organization. In order to plan a financial statement
audit of the client, the clients auditors must either
perform procedures at the service organization or
rely upon the report of another auditor on the
description of controls in place at the service
organization over the processing of the clients
transactions.
In the absence a current Service Auditor's Report,
a service organization may have to handle multiple
audit requests from its customers and their
respective auditors. Multiple visits from user
auditors can place a strain on the service
organization's resources. A Service Auditor's Report
ensures that all user organizations and their auditors
have access to the same information and in many
cases this will satisfy the user auditor's
requirements. Furthermore, a Service Auditor
Report with an unqualified opinion that is issued by

an Independent Accounting Firm differentiates the

service organization from its peers by demonstrating
the establishment of effectively designed control
objectives and control activities. A Service Auditor's
Report also helps a service organization build trust
with its user organizations (i.e., customers).

2. Th e N e w S t anda rd s (SSAE 16 & ISAE 3402)

In recognition of the necessity for an international
standard similar to SAS 70, the International
Auditing and Assurance Standards Board (IAASB)
issued International Standard on Assurance
Engagements No. 3402 (ISAE 3402), titled
Assurance Reports on Controls at a Service
Organization, in December 2009. In April 2010,
AICPA mirrored this standard by issuing the
Statement on Standards for Attestation
Engagements No. 16 (SSAE 16), titled Reporting on
Controls at a Service Organization. Both are effective
for reporting periods on or after 15 June 2011 and
widely used SAS 70 report on controls at a service
organization will cease to be relevant after that date.
The new standards are largely similar to SAS 70.
Each enables a service auditor to perform two types
of engagements:
A type 1 engagement in which the service auditor
reports on the fairness of the presentation of
managements description of the service
organizations system and the suitability of the
design of the controls to achieve the related

control objectives included in the description

as of a specified date.

a written assertion, even though the auditor will

continue to report on the subject matter.

A type 2 engagement in which the service auditor

reports on the fairness of the presentation of
managements description of the service
organizations system and the suitability of the
design and operating effectiveness of the controls
to achieve the related control objectives included
in the description throughout a specified period.

ISAE 3402 and the SSAE 16 provide specific

requirements that management must meet in
order to provide a written assertion. Highlights
of managements assertion are as follows:

3 . T h e n e e d f o r c ha n g e

It should be based on suitable criteria which

management should select to be used to make
their assertion and should state such criteria
within the assertion

The IAASB and AICPA are not striving to completely

revise standards on how to report on controls at
a service organization. However, as mentioned
previously, the need for such a standard
internationally, in combination with the efforts
to converge US GAAP and IFRS, led to ISAE 3402 and
SSAE 16. Another factor attributing to the change
was the implementation of the Sarbanes-Oxley Act of
2002 in the US led to a much wider use of SAS 70
reports. Furthermore, a growth in the number of
companies outsourcing services called for an update
to the two decade old standard to meet the demands
of the current global marketplace.

Significant differences from SAS 70:

1 . M a n a g em en t A ss e rt i o n
Similar to Sarbanes-Oxley requirements, SSAE 16
& ISAE 3402 will require written assertion from the
management of the service organization about the
subject matter of the engagement. This places
additional responsibilities on service organizations
management. Under SAS 70, engagements were
considered direct-reporting engagements in which
service auditors reported directly on controls at the
service organization and management was not
required to provide a written assertion. Under the
new standards, engagements will be assertion
based, thus management will be required to provide

It will be included in, or attached to,

managements description of the system and
documented within the report

A service auditor is prohibited from issuing

a report if management does not provide a
written assertion
Management should have a reasonable basis for
its assertion, which may be achieved through ongoing monitoring activities that provide evidence
of design and operating effectiveness of controls.
However, unlike Sarbanes-Oxley, there is no
specific requirement for management testing.
Management needs to consider the risks that
threaten the achievement of control objectives and
whether the controls in place are sufficient to
mitigate those risks. A formal or informal process
may be used by management to assess such risks;
however these risks do not need to be included in the
report. The new standards outline specific guidance
in on the written management assertion, which
should make
it fairly uncomplicated to apply.

2. D e sc r i p t i o n of th e S ys t e m
Unlike the SAS 70 requirement that service
organizations provide a description of controls,
the new ISAE 3402 and SSAE 16 standards call for
a more comprehensive description of the service

organizations system. The description of the system

should identify the following:
Control objectives and related controls
Aspects of the organisations internal control
framework (risk assessment, information and
communication, monitoring,
and control environment)
The types of services provided, including the
classes of transactions processed
Relevant complimentary controls of user entities
Procedures and accounting records related to the
services provided, including the initiation,
authorisation, recording, processing, and
correction of transactions
Any changes to the system during the period
covered by the report
Significant events and conditions other than
transactions
The process used to prepare reports and other
information for user entities
It is recognised that many service organisations
which have previously obtained SAS 70 reports may
find that their current description of the system
already satisfies the requirements of the new
standards.

3 . R e p o rt i n g p er i o d f o r t he d e si g n o f
c on tr o l s ( T y p e 2 r e p o r t s )
For SAS 70 Type 2 reports, the opinion on the
description and suitability of the design of controls
was as of a specified date, which was typically the last
day of the reporting period. However, new standards
require the opinion on the design of controls over the
entire period under review and not just as of a point
in time.

4. S ub s e r v i c e O r g a n i sa t i on s
The new standards allow for service organisations
to describe the use of subservice organisations either
through the inclusive method or the carve-out method.
This is similar to exisitng SAS 70 requirements.
However, if management chooses to use the inclusive
method, whereby the description of the system
includes controls at the subservice organisation,
management must also determine whether controls at
the subservice organisation are suitably designed
and/or operating effectively. Thus, in order to make this
determination and support their own assertion,
management would need to obtain a written assertion
from the subservice organisation. A full description of
the related control objectives and controls of the
subservice organisation, as well as a letter of
representation would need to be provided.

5 . U se o f I n t e r n a l a ud i t
A service auditor may use the work of internal audit,
however, the service auditor is required to identify in
its description of tests of controls any of the internal
auditors work and the service auditors procedures
with respect to that work. No such disclosure is
required if members of internal audit are used under
the direction of the service auditor.

6. R e d uc t i o n o f t e s t i n g : Us e o f p r i o r
ev i d en c e
The assessment of the design of controls (Type 1)
or the operating effectiveness of controls (Type 2)
must solely be based on evidence obtained during
the period under review. As such, any evidence
obtained in prior engagements regarding the
satisfactory design and/or operation of controls in
prior periods does not provide a basis for a reduction
in the evaluation of the design or testing of controls,
even if supplemented with evidence obtained during
the current period.

Differences between SSAE

& ISAE

1 . L i s t i ng o f d i f f e re nc e s
Although the US standard was written to mirror the international standard, some additional requirements and
clarification was written into SSAE 16. Below is an overview of those differences identified:

SSAE

ISAE

Intentional
Acts

No such requirement.
If a service auditor becomes aware that the
deviations resulted from intentional acts by
service organization personnel, the service
auditor should assess the risk that the
description of the service organizations system
is not fairly presented and that the controls are
not suitably designed or operating effectively.

Anomalies

Deviations may not be considered as anomalies Allows deviations identified in tests of controls
to be considered anomalies which are not
when performing tests of controls.
representative of the population.

Direct
Assistance

A service auditor may use the work of the

internal audit function in a direct assistance
capacity.

This is not addressed.

Subsequent
Events

Subsequent events up to the date of the report

are required to be disclosed if the nature and
significance is such that its disclosure is
necessary to prevent users report from being
misled.

No such requirement.

Restricting Use

The report includes a statement in a prescribed

format restricting its use to management of the
service organization, user entities of the service
organizations system, and user auditors.

The standard does not require the inclusion of

a statement restricting the use of the report to
specified parties, but it does not prohibit the
inclusion of restricted use language either. Only
a statement indicating its intended use by user
entities and their auditors is required.

Documentation
Completion

Requires engagement documentation to be

completed on a timely basis after the date of the
report and no later than 60 days following the
report release date.

Only requires completion on a timely basis but

does not define the number of maximum days.

Engagement
Acceptance and
Continuance

Management of the service organization must

acknowledge and accept responsibility for
providing the service auditor with written
representations at the conclusion of the
engagement.

No such acknowledgement is required but

written representation is required.

Disclaimer of
Opinion

If written representations are not provided by

the service organization, the auditor is may
disclaim an opinion or withdraw from the
engagement.

If written representations are not provided by

the service organization, the auditor is required
to disclaim an opinion.

Elements of the
Report

SSAE 16 contains certain incremental service audit report requirements over and above the
requirements of ISAE 3402.

When the US standard was issued, the AICPA

prepared specific analysis highlighting these
differences between the two standards. The detailed
explanation of the rationale behind the analysis can be
found in Exhibit B of SSAE 16.

2 . M a k i n g a d e c i s i o n o n w h i c h s t a n da r d
t o fo llo w
The decision by service organisations of whether to
follow SSAE 16 or ISAE 3402 will be clear in most
cases. If the service organisation is located within the
US, or it has customers in the US that require a report
of controls from the service organisation, SSAE 16
would apply. However, with the growing global
economy, many service organisations may have
operations and/or customers around the world and
the decision may be more difficult. Fortunately, only
small differences exist. However, a global service
organisation that has a widespread customer base
may wish to have an examination performed under
both sets of standards.

3 . A I C P A S er vi c e O r g a n i s a t i o n Co n t ro l
R e p o r t s 1 , 2, & 3
SSAE 16 falls under a new categorisation of Service
Organisation Control (SOC) Reports (formally SAS 70
reports). The AICPA have designed three reports
which are intended to provide users with valuable
information to address the risks associated with an
outsourced service. They have recognised an
increasing demand for reports on controls on matters
other than financial reporting. Examples include
reporting on controls surrounding the privacy of
customer information or reporting on controls
ensuring the availability and security of computing
facilities. The establishment of these reports further
emphasised that SSAE 16 reports are intended only for
controls over financial reporting. SAS 70 reports were
often misused as a means to obtain assurance for
these other matters. The new categories that were
drafted to correct these misuses are as follows:

SOC 1 - Report on Controls at a Service

Organisation Relevant to User Entities Internal
Control over Financial Reporting. This is a SSAE 16
report discussed above in detail.
SOC 2 - Report on Controls at a Service
Organisation Relevant to Security, Availability,
Processing Integrity, Confidentiality or Privacy.
The relevant standard for these engagements
are under AT Section 101 of SSAE.
SOC 3 - Trust Services Report for Service
Organisations. These are commonly referred to
as SysTrust reports, which are not new and have
only been re-categorised. Similar to SOC 2, these
reports are also performed under AT Section 101 of
SSAE.
SOC 1 & SOC 2 reports will generally appear to be
similar; however the subject matter being reported
on will be different. SOC 2 reports specifically address
one or more of the following five key system attributes:
A) Security - The system is protected against
unauthorised access (both physical and logical).
B) Availability - The system is available for operation
and use as committed or agreed.
C) Processing integrity - System processing
is complete, accurate, timely and authorised.
D) Confidentiality - Information designated as
confidential is protected as committed or agreed.
E) Privacy - Personal information is collected, used,
retained, disclosed and disposed of in conformity
with criteria set forth in Generally Accepted Privacy
Principles (GAPP) issued by the AICPA.
As with the SSAE 16 (SOC 1) report, there are two
types of reports under SOC 2: A type 1, report on
managements description of a service organisations
system and the suitability of the design of controls;
and a type 2, report on managements description of a
service organizations system and the suitability of the

design and operating effectiveness of controls. Use

of SOC 2 reports is generally restricted to intended
users, whereas SOC 3 reports are for general use and
can be freely distributed or posted on a website as a
Sys Trust for Service Organisations seal.
The IAASB have also addressed reporting on controls
other than financial controls. Although ISAE 3402
states reporting is restricted to controls likely to be
relevant to user entities financial reporting,
additional controls which may be outside of the
scope of financial reporting (but still relevant to user
entities), could still be reported under the standard.

control is considered to be a matter of professional

judgment with regard to the control objectives set by
the service organisation and the suitability of the
criteria. Careful consideration should be given by
management, with the assistance of their service
auditor, in determining the appropriateness in
reporting on controls other than financial controls.

The determination of whether controls at a service

organisation related to operations and compliance
are likely to be relevant to user entities internal

What to do to prepare:
- Determine what type of report and/or
standard is needed through discussions with
users. Many may wish to consult with their
auditor to assist in the decision.
- Initiate discussions with subservice
organizations in order to avoid difficulties
in obtaining relevant assertions when the
new standards become effective. Once the
new standards are in place, if the management
of a service organisation does not provide an
assertion, the service auditor will not be able
to accept the engagement. Management
should actively coordinate this well in advance
of the commencement of service auditors
engagement.
- Review current description of system and

determine its adequacy under new standards.

- Determine if appropriate risk identification
steps have been taken by management to
adequately evaluate control monitoring
processes. Mangement should also consider
who should be responsible for making the
written assertion.
- Review the standard to gain further knowledge
of its requirements and start preparation
discussions with auditors and users.
Educating users and subservice organizations
is also essential. In some cases, an
assessment will need to be made for impacts
to current contracts.

Please get in touch

F o r m o re i n fo r m at i o n , p l e a s e c o n ta c t on e of t he te a m o r yo u r u s u al M az ar s ad v i s e r.

Dera McLoughlin, Partner

T: +353 (0)1 4494485

E: dmcloughlin@mazars.ie
Or alternatively contact

Maria Cambell

T: +353 (0)1 449 4482

E: mcambell@mazars.ie

mazars.ie
This publication has been written in general terms and therefore cannot be relied upon to cover specific situations; application of the principles set
out will depend upon the particular circumstances involved and you must seek further professional advice before acting or refraining from acting on
any of the contents of this publication.
Mazars Ireland is the irish firm of Mazars, an international advisory and accountancy organisation.
Registered by The Institute of Chartered Accountants in Ireland to carry out company audit work.