The first difference between the SSAE 16 and ISAE 3402 Standards is that SSAE 16 requires the service auditor to assess the risk associated with potential “Intentional Acts by Service Organization Personnel”.
Under SSAE 16, If the service auditor, while performing their review, notices deviations that could have been a result of an intentional act by an employee of the service organization, the auditor is required to dig into it. The reasoning for this is to determine whether or not the description of the service organization’s system is not fairly presented and that the controls are not suitably designed or operating effectively.
So, it seems that in this case, the SSAE 16 standard is a bit stricter. If the auditor is not required to dig into an intentional act committed by an employee of the service organization, how would the Auditing Firm and User Organizations feel comfortable with the report? In my opinion, they shouldn’t. Without any consequences for the service organization (failed report), there is an incentive for the service organization to try and operate outside the control structure as defined as it is unlikely that they would be held responsible for their actions. This might be a question you would want to dig into if you are going to use a company that has only been issued an ISAE 3402 report.
Be on the lookout for the next post related to the difference between SSAE 16 and ISAE 3402, Anomalies.