Management’s description of the service organization’s “system” fairly presents the service organization’s system that was designed and implemented at either a specific date (Type 1 report) or implemented throughout a specified time period (Type 2 report).

The control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date (16 Type 1 report) or designed throughout a specified time period (Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.

The criteria used to effectively making these assertions (i.e., risk factors relating to controls and control objectives) and (for a SSAE 16 Type 2) that the controls were consistently applied.

To learn more about SSAE 16, visit the SSAE 16 Resource Guide.

SAS 70, which has been with us since April of 1992, slowly grew into an internationally recognized auditing standard that was used by service auditors performing engagements on service organizations for purposes of reporting on controls placed in operation and (in the case of a SAS 70 Type II) their operating effectiveness.

What’s interesting to note about SSAE 16 and ISAE 3402 is that they both require a description of the service organization’s “system” along with a written assertion by management. SAS 70 required merely a description of “controls” and did not require a written assertion by management. These are two (2) fundamental components of SSAE 16 and ISAE 3402 that all service organizations should be aware of.

Some service organizations will find that substantial work will have to be undertaken for ensuring their prior SAS 70 description of “controls” meets the intent and rigor of the SSAE 16 and ISAE 3402 description of its “system”. Lastly it is important to note that SSAE 16 is now an “attest” standard, while ISAE 3402 is an “assurance” standard.

There are also a number of other roles, responsibilities, and requirements which management must undertake, but what’s important to note at this point is why the new auditing standard came to be, effectively creating a need for the U.S. standard (SAS 70) to be replaced, which is being done with SSAE 16.

ISAE 3402 represents a migration towards global accounting principles and standards; one that creates transparency and much more clarity when reporting on controls at service organizations. SAS 70, the standard used globally by many practitioners, had been showing its limitations for a number of years, due in large part that it was a U.S. based standard and was not always meeting the ever-growing and complex reporting requirements for service organizations.

ISAE 3402 (and the U.S. Standard of SSAE 16) are soon on their way to becoming the “standard” for reporting on controls at service organizations. Early adoption of the two standards is permitted, but it seems likely most service organizations will wait until 2011. Be prepared and get the facts about the ISAE 3402 standard.