The first difference between the SSAE 16 and ISAE 3402 Standards is that SSAE 16 requires the service auditor to assess the risk associated with potential “Intentional Acts by Service Organization Personnel”.
Under SSAE 16, If the service auditor, while performing their review, notices deviations that could have been a result of an intentional act by an employee of the service organization, the auditor is required to dig into it. The reasoning for this is to determine whether or not the description of the service organization’s system is not fairly presented and that the controls are not suitably designed or operating effectively.
So, it seems that in this case, the SSAE 16 standard is a bit stricter. If the auditor is not required to dig into an intentional act committed by an employee of the service organization, how would the Auditing Firm and User Organizations feel comfortable with the report? In my opinion, they shouldn’t. Without any consequences for the service organization (failed report), there is an incentive for the service organization to try and operate outside the control structure as defined as it is unlikely that they would be held responsible for their actions. This might be a question you would want to dig into if you are going to use a company that has only been issued an ISAE 3402 report.
Be on the lookout for the next post related to the difference between SSAE 16 and ISAE 3402, Anomalies.
Tags: difference between isae 3402 and ssae 16, difference between ssae 16 and isae 3402, difference between ssae and isae, difference isae 3402 ssae 16, differences between isae 3402 and ssae 16, differences between ssae 16 and isae 3402, intentional acts in auditing, ISAE 3402, isae 3402 soc 2, isae 3402 vs ssae 16, isae3402 soc2, ssae 10 versus isae, ssae 16 and isae 3402 differences, ssae 16 intentional act, ssae 16 vs isae 3402, technical differences between ssae16 and isae3402