SSAE 16 was built upon the ISAE 3402 framework, which essentially is the same thing, but accepted at an international level with a number of deviations to be discussed here over time. The AICPA and other standard settings organizations are now encouraged to design their frameworks for reporting on controls at a service organization around the ISAE 3402 framework, this will allow for increased fluidity and lower expenses to complete globally. ISAE 3402 was intentionally designed to allow for minor modifications to adjust for local protocols and existing frameworks.
SSAE 16 contains 9 deviations from the ISAE 3402 framework, at a high level include:
- 1. Intentional Acts by Service Organization Personnel
- 2. Anomalies
- 3. Direct Assistance
- 4. Subsequent Events
- 5. Statement Restricting Use of the Service Auditor’s Report
- 6. Documentation Completion
- 7. Engagement Acceptance and Continuance
- 8. Disclaimer of Opinion
- 9. Elements of the SSAE Report That are Not Required in the ISAE 3402 Report
These topics will be delved into in greater depth at a later time, however, are not of concern if you do not plan on performing outsourcing services for an organization located outside of the United States.