Understanding U.S. Auditing Standards: SSAE 16 vs. ISAE 3402

Posted by Reading Time: 5 minutes

By Sean B. Woods

Sept. 12 – SSAE 16, issued by the Auditing Standards Board of the American Institute of Certified Public Accountants, was effective as of June 15, 2011 and governs reporting on controls at a service organization located within the United States. With the trend for U.S. accounting and auditing standards to be more in line with international standards, and eventual convergence of U.S. standards with international standards, SSAE 16 was built upon the existing ISAE 3402 framework, which has been adopted by the International Auditing and Assurance Standards Board.

There are three different reports available under SSAE 16 depending on the type of service organization and client information it controls or processes. Those three reports are:

  • SOC 1 Report – Report on controls at a service organization relevant to user entities’ internal control over financial reporting (i.e. payroll processing companies, third party billing companies, third party administrators for retirement plans, data centers, insurance and claims processing, credit card collection and payment processing)
  • SOC 2 Report – Report on controls at a service organization relevant to non-financial controls, or Trust Service Principles (i.e. data centers, cloud computing and hosting companies, banks and financial institutions, healthcare and entities subject to HIPAA regulations, insurance and claims processing, government and public services, credit card collection and payment processing, communication, energy and utilities, transportation and logistics, entities subject to U.S. Graham-Leach-Billey Act)
  • SOC 3 Report – Report on controls at a service organization relevant to non-financial controls that can be distributed to the general public (i.e. entities desiring WebTrust or SysTrust reports)

The Trust Service Principles introduced in SSAE 16 encompass the following:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

SSAE 16 and ISAE 3402 are generally the same set of standards, and those reports issued under SSAE 16 will now be more acceptable by the global community. However, while the two standards are essentially the same, there are nine very specific differences or deviations between SSAE 16 and ISAE 3402. Those are:

  • Intentional Acts by Service Organization Personnel
  • Anomalies
  • Direct Assistance
  • Subsequent Events
  • Statement Restricting Use of the Service Auditor’s Report
  • Documentation Completion
  • Engagement Acceptance and Continuance
  • Disclaimer of Opinion
  • Elements of the SSAE Report that are not Required in the ISAE 3402 Report

Each of the above will be briefly discussed below.

Intentional Acts by Service Organization Personnel
SSAE 16 requires the service auditor to investigate the nature and cause of any deviations identified, as does ISAE 3402. SSAE 16 indicates that if the service auditor becomes aware that the deviations resulted from intentional acts by service organization personnel, the service auditor should assess the risk that management’s description of the service organization’s system is not fairly presented, the controls are not suitably designed, and in a type 2 engagement, the controls are not operating effectively. The ISAE does not contain this additional requirement.

SSAE 16, also requires the service auditor to request written representations from management that it has disclosed to the service auditor knowledge of any actual, suspected, or alleged intentional acts by management or the service organization’s employees, of which it is aware, that could adversely affect the fairness of the presentation of management’s description of the service organization’s system or the completeness or achievement of the control objectives stated in the description. The ISAE does not include this requirement.

Anomalies
ISAE 3402 contains a requirement that enables a service auditor to conclude that a deviation identified in tests of controls involving sampling is not representative of the population from which the same was drawn, and uses terminology such as “extremely rare circumstances” and “high degree of certainty.”

These terms are not used in U.S. professional standards. Instead, SSAE 16 requires that deviations identified by the service auditor in tests of controls involving sampling be treated in the same manner as any other deviation, rather than as an “anomaly.”

Direct Assistance
SSAE 16 requires the service auditor to adapt and apply U.S. auditing standards guidance when the service auditor uses members of the service organization’s internal audit function to provide direct assistance. ISAE 3402 does not provide for use of the internal audit function for direct assistance.

Subsequent Events
SSAE 16 requires the service auditor to disclose in the service auditor’s report, if not disclosed by management in its description, any event that is of such a nature and significance that its disclosure is necessary to prevent users from being misled. ISAE 3402 limits the types of subsequent events that would need to be disclosed in the service auditor’s report to those that could have a significant effect on the service auditor’s report.

SSAE 16 requires the service auditor to adapt and apply U.S. auditing standards guidance if, after the release of the service auditor’s report, the service auditor becomes aware of conditions that existed at the report date that might have affected management’s assertion and the service auditor’s report had the service auditor been aware of them. ISAE 3402 does not include a similar requirement.

Statement Restricting Use of the Service Auditor’s Report
SSAE 16 requires the service auditor’s report to include a statement restricting the use of the report to management of the service organization, user entities of the service organization’s system, and user auditors. ISAE 3402 requires the service auditor’s report to include a statement indicating that the report is intended only for user entities and their auditors, but does not require the inclusion of a statement restricting the use of the report to specified parties.

Documentation Completion
ISAE 3402 requires the service auditor to assemble the documentation in an engagement file and complete the administrative process of assembling the final engagement file on a timely basis after the date of the service auditor’s report. SSAE 16 has the same requirement, but also indicates that a timely basis is no later than 60 days following the service auditor’s report release date.

Engagement Acceptance and Continuance
SSAE 16 establishes conditions for the acceptance and continuance of an engagement to report on controls at a service organization. One of the conditions is that management acknowledge and accept responsibility for providing the service auditor with written representations at the conclusion of the engagement. ISAE 3402 does not include this requirement as a condition of engagement acceptance and continuance.

Disclaimer of Opinion
If management does not provide the service auditor with certain written representations, ISAE 3402 requires the service auditor, after discussing the matter with management, to disclaim an opinion. In the same circumstances, SSAE 16 requires the service auditor to take appropriate action, which may include disclaiming an opinion or withdrawing from the engagement. In addition, SSAE 16 contains certain incremental requirements when the service auditor plans to disclaim an opinion.

Elements of the SSAE Report that are not Required in the ISAE 3402 Report
SSAE 16 contains certain requirements regarding the content of the service auditor’s report, which are incremental to those in ISAE 3402. These incremental requirements are:

  • Identification of any information included in a document containing the service auditor’s report that is not covered by the service auditor’s report.
  • A reference to management’s assertion and a statement that management is responsible for identifying the risks that threaten the achievement of the control objectives.
  • A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives.
  • A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and suitability of the control objectives stated in the description.

For more information related to ISAE 3402 and/or SSAE 16 prerequisites and readiness, feel free to contact Sean B. Woods with WY Technology at www.wytechnology.com.

Dezan Shira & Associates is a specialist foreign direct investment practice, providing corporate establishment, business advisory, tax advisory and compliance, accounting, payroll, due diligence and financial review services to multinationals investing in emerging Asia.

For further details or to contact the firm, please email china@dezshira.com, visit www.dezshira.com, or download the company brochure.

You can stay up to date with the latest business and investment trends across China by subscribing to The China Advantage, our complimentary update service featuring news, commentary, guides, and multimedia resources.