• AICPA issuing SSAE 16: What does the change from SAS 70 to SSAE 16 mean?

    The AICPA issued SSAE #16 to supersede the SAS 70 standard and although SAS 70 is being replaced by SSAE 16, they are fundamentally the same.
    SSAE 16 was developed not only to update the SAS 70 standard, but also to align the US based standard to similar guidance released by the IAASB.
    EisnerAmper's Risk Advisory Services group discusses the most significant differences between SAS 70 and the superseding domestic (SSAE 16) and international (ISAE 3402) reporting standards.
A A A

SSAE 16

  • Background  

    The change from a Statement on Auditing Standards (“SAS”) to Standards for Attestation Engagements (“SSAE”) is a technical change that transfers the requirements from an auditing standard to an attest standard.

    The American Institute of Certified Public Accountants (“AICPA”) issued SSAE # 16 to supersede the commonly known “SAS 70” standard for examination periods dated on or after June 15, 2011. SSAE #16 was developed not only to update the SAS 70 standard, but also to align the US based standard to similar guidance released by the International Auditing and Assurance Standards Board (“IAASB”) known as the International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization (“ISAE 3402”).

    What does the change from SAS No. 70 to SSAE #16 mean?  

    Although SAS 70 is being replaced by SSAE 16, they are fundamentally the same. Below is a description of some of the key similarities and differences between the two standards. The following table describes the most significant differences between the current service organization reporting standard (i.e., SAS 70) and the superseding domestic and international reporting standards. This table is not meant to be an exhaustive list of all differences between the various service organization reporting standards. To gain a full understanding of how the existing and new standards affect service organizations, we recommend reviewing the full text of the standards to determine their applicability to your organization.

      SAS 70 STANDARD
    (United States)    		 SSAE 16
    (United States)    		 ISAE 3402
    (International)
    EFFECTIVE DATE Continues in existence for reports with review periods ending before June 15, 2011. SSAE 16 and ISAE 3402 are effective for reports with review periods ending on or after June 15, 2011. Both standards may be adopted early by service organizations.
    PROFESSIONAL
    STANDARDS    		 SAS 70 is a single audit standard that addresses the performance of a SAS 70 audit and the use of a SAS 70 audit report by user entities and user auditors. SSAE 16 and ISAE 3402 are the attestation standards that address reporting on controls at a service organization (for use by service auditors). Separate audit standards exist for addressing audit considerations relating to an entity using a service organization (for use by user auditors).
    MANAGEMENT’S
    ASSERTION    		 Requires management to provide written representations in the form of a management representation letter that is obtained by the service auditor prior to the issuance of the SAS 70 audit report. Management of service organizations are required to provide a written assertion in the body of the report about the fair presentation of the description of the service organization’s system, the suitability of the design of the controls, and in the case of a Type 2 report, the operating effectiveness of the controls. These assertions accompany management’s description of the service organization’s system and are similar in nature to those that were previously included in SAS 70 audit management representation letters. A separate management representation letter is also required.
    SUITABLE
    CRITERIA    		 Management’s assertion, and the underlying suitable criteria, are not a component of a SAS 70 audit report. A service organization’s management is responsible for specifying the criteria that it used to prepare the description of its system. The minimum suitable criteria are described in the standards and are the determining factor as to whether an assessment constitutes a Type 1 or Type 2 audit.
    SUITABILITY
    OF DESIGN OF
    CONTROLS    		 Type 1 and Type 2 opinion letters opine on the suitability of design of controls as of a specified date in time. Similar to SAS 70 audits, Type 1 opinion letters opine on the suitability of design of controls as of a specified date in time. However, Type 2 opinion letters are now required to opine on the suitability of design of controls over the entire specified review period.
    EVIDENCE
    OBTAINED
    IN PRIOR
    ENGAGEMENTS    		 A service auditor may use evidence from prior service auditor’s engagements to reduce the nature, timing, and extent of the tests of operating effectiveness. A service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.
    USE OF
    INTERNAL
    AUDIT’S WORK
    PRODUCT    		 A service auditor is not required to disclose its use of internal audit’s work product. In the case of a Type 2 report, a service auditor is required to disclose the nature and extent to which it relied on the work of internal auditors in its description of tests of controls. The service auditor’s procedures with respect to that work must also be disclosed.
    REPORT
    DISTRIBUTION
    RESTRICTIONS    		 Standard opinion letter language restricts use of the report to the service organization’s management, its customers, and their customers’ financial statement auditors. Standard opinion letter language is modified to restrict use of the report to the service organization’s management, customers of the service as of a specified date (in the case of a Type 1 report), or during the specified review period (in the case of a Type 2 report), and the customers’ financial statement auditors. Standard opinion letter language defines intended users of the report as customers of the service and the customers’ financial statement auditors. In addition, the service auditor may include wording that specifically restricts distribution of the report other than to intended users, its use by others, or its use for other purposes.
    INCLUSIVE
    REPORTING
    METHOD    		 No requirement to obtain representations from subservice organizations prior to including its controls in a service organization’s SAS 70 audit report. Subservice organizations are required to provide assertions and written representations similar to those provided by the service organization’s management. The inclusive reporting method cannot be applied if a subservice organization refuses to provide relevant management assertions and a management representation letter.



    This document contains information in summary form and is intended for general guidance only. EisnerAmper, LLP makes no representation or guarantee as to the correctness or sufficiency of any information contained herein, nor a guarantee of results based upon the use of this information, and disclaims all warranties whether implied, express or statutory, including without limitation, implied warranties of merchantability, fitness for use and fitness for a particular purpose. No one should act on this information without appropriate professional advice after a thorough examination of the particular situation.     

    Search Risk Advisory articles 

An Independent Member of PKF International Limited.