ISAE 3402, The International Standard on Assurance Engagements,“Assurance Reports on Controls at a Service Organization” and SSAE 16, Statement on Standards for Attestation Engagements No. 16, are effectively replacing the U.S. Statement on Auditing Standards No. 70, known as SAS 70.
SAS 70, which has been with us since April of 1992, slowly grew into an internationally recognized auditing standard that was used by service auditors performing engagements on service organizations for purposes of reporting on controls placed in operation and (in the case of a SAS 70 Type II) their operating effectiveness.
What’s interesting to note about SSAE 16 and ISAE 3402 is that they both require a description of the service organization’s “system” along with a written assertion by management. SAS 70 required merely a description of “controls” and did not require a written assertion by management. These are two (2) fundamental components of SSAE 16 and ISAE 3402 that all service organizations should be aware of.
Some service organizations will find that substantial work will have to be undertaken for ensuring their prior SAS 70 description of “controls” meets the intent and rigor of the SSAE 16 and ISAE 3402 description of its “system”. Lastly it is important to note that SSAE 16 is now an “attest” standard, while ISAE 3402 is an “assurance” standard.