Regulatory Compliance, Governance and Security

Sep 29 2010   8:54PM GMT

ISAE 3402 and SSAE 16 | Say Goodbye to the SAS 70 Auditing Standard



ISAE 3402, The International Standard on Assurance Engagements,“Assurance Reports on Controls at a Service Organization” and SSAE 16, Statement on Standards for Attestation Engagements No. 16, are effectively replacing the U.S. Statement on Auditing Standards No. 70, known as SAS 70.

SAS 70, which has been with us since April of 1992, slowly grew into an internationally recognized auditing standard that was used by service auditors performing engagements on service organizations for purposes of reporting on controls placed in operation and (in the case of a SAS 70 Type II) their operating effectiveness.

What’s interesting to note about SSAE 16 and ISAE 3402 is that they both require a description of the service organization’s “system” along with a written assertion by management. SAS 70 required merely a description of “controls” and did not require a written assertion by management. These are two (2) fundamental components of SSAE 16 and ISAE 3402 that all service organizations should be aware of.

Some service organizations will find that substantial work will have to be undertaken for ensuring their prior SAS 70 description of “controls” meets the intent and rigor of the SSAE 16 and ISAE 3402 description of its “system”. Lastly it is important to note that SSAE 16 is now an “attest” standard, while ISAE 3402 is an “assurance” standard.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: