September 2, 2014

ISAE 3402

The SSAE16 Auditing Standard


SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and the rest of the companies in the US, up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from SAS 70 to SSAE 16 will help you and your counterparts in the US compete on an international level; allowing companies around the world to give you their business with complete confidence.

SSAE16 is now effective as of June 15, 2011, and if you have not made the necessary adjustments required, now is the time to find a quality provider to discuss the proper steps. All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.

Who Needs an SSAE 16 (SOC 1) Audit?

A service organization’s services are part of an entity’s information system if they affect any of the following:The classes of transactions in the entity’s operations that are significant to the entity’s financial statements. The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.The related accounting records, whether electronic or manual, supporting information, and specific accounts in the entity’s financial statements involved in initiating, recording, processing and reporting the entity’s transactions. How the entity’s information system captures other events and conditions that are significant to the financial statements. The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:

  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

What you Need to Know:

Before starting the SSAE 16 process, there are a number of considerations one must take into account that can save considerable time, effort, and money in the long run. Use the following items as a mini checklist for yourself:

  • Does my Company need an SSAE16, or, are we doing it just because someone asked?
  • Reports on the low end can run at least $15,000 a year, will the business lost be less of a burden than the cost of the report itself?
  • Does your company have defined Business Process and IT controls in place, or, will you need assistance developing and implementing them (readiness assessment)?
  • Have you determined the controls in place which affect the outsourced services being provided?
  • Have key stakeholders been defined and included in discussions?

There are many other issues to consider before engaging a CPA firm to help with your SSAE 16, for a more detailed ‘checklist’ – please see The SSAE 16 Checklist

SSAE 16 vs ISAE 3402 – Part 2 – Intentional Acts


The first difference between the SSAE 16 and ISAE 3402 Standards is that SSAE 16 requires the service auditor to assess the risk associated with potential “Intentional Acts by Service Organization Personnel”.

Under SSAE 16, If the service auditor, while performing their review, notices deviations that could have been a result of an intentional act by an employee of the service organization, the auditor is required to dig into it. The reasoning for this is to determine whether or not the description of the service organization’s system is not fairly presented and that the controls are not suitably designed or operating effectively.

So, it seems that in this case, the SSAE 16 standard is a bit stricter. If the auditor is not required to dig into an intentional act committed by an employee of the service organization, how would the Auditing Firm and User Organizations feel comfortable with the report? In my opinion, they shouldn’t. Without any consequences for the service organization (failed report), there is an incentive for the service organization to try and operate outside the control structure as defined as it is unlikely that they would be held responsible for their actions. This might be a question you would want to dig into if you are going to use a company that has only been issued an ISAE 3402 report.

Be on the lookout for the next post related to the difference between SSAE 16 and ISAE 3402, Anomalies.

SSAE 16 vs ISAE 3402 – Part 1


SSAE 16 was built upon the ISAE 3402 framework, which essentially is the same thing, but accepted at an international level with a number of deviations to be discussed here over time. The AICPA and other standard settings organizations are now encouraged to design their frameworks for reporting on controls at a service organization around the ISAE 3402 framework, this will allow for increased fluidity and lower expenses to complete globally. ISAE 3402 was intentionally designed to allow for minor modifications to adjust for local protocols and existing frameworks.


SSAE 16 contains 9 deviations from the ISAE 3402 framework, at a high level include:

      1. Intentional Acts by Service Organization Personnel
      2. Anomalies
      3. Direct Assistance
      4. Subsequent Events
      5. Statement Restricting Use of the Service Auditor’s Report
      6. Documentation Completion
      7. Engagement Acceptance and Continuance
      8. Disclaimer of Opinion
      9. Elements of the SSAE Report That are Not Required in the ISAE 3402 Report


These topics will be delved into in greater depth at a later time, however, are not of concern if you do not plan on performing outsourcing services for an organization located outside of the United States.