SSAE 16 AICPA vs. SAS 70 | What you Need to Know and Why

A New Standard Emerges

The terms SSAE 16 and SAS 70 have been used quite extensively in the auditing world as of late, and for good reason. Statement on Auditing Standards No. 70, known simply as SAS 70 to many, is nearing the end of its lifecycle after approximately 20 years of service. Since its1992 inception, the US auditing standard gradually became the global de facto framework used for reporting on controls at service organizations. Across the globe, SAS 70 and its local derivative, became a well-known, widely used, and universally accepted audit mechanism that provided assurance to a large and ever-growing pool of users.

Statement on Standards for Attestation Engagements (SSAE ) No. 16, known as SSAE 16, has been put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Its purpose was to replace an aging SAS 70 standard, but more importantly, one that would keep pace with the ever growing push for more globally accepted international accounting standards. SSAE 16 was born in 2010, an “attest” standard that closely mirrors its international “assurance” equivalent, ISAE 3402, which was issued by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC).

AICPA logo

A look at SSAE 16 vs. SAS 70 can be seen as a natural evolution of the dated standard and a transition of power from one governing accounting principle authority to another. SSAE introduces new ideas, requirements, and a fresh approach to compliance reporting on controls at service organizations and the responsibilities of the service organization being audited.

Summary of Significant Changes

The following table describes the most significant differences between the current service organization reporting standard (i.e., SAS 70) and the superseding domestic and international reporting standards. This table is not meant to be an exhaustive list of all differences between the various service organization reporting standards. Interested parties are advised to review the relevant standard(s) in detail to fully understand the effect of the changes for its purposes.

  SAS 70: SSAE 16:
Effective Date Acceptable for reports with specified dates / review periods ending before June 15, 2011. SSAE 16 and ISAE 3402 are effective for reports with specified dates / review periods ending on or after June 15, 2011. Both standards may be adopted early by service organizations.
Form SAS 70 is a single audit standard that addresses the performance of a SAS 70 audit and the use of a SAS 70 audit report by user entities and user auditors. SSAE 16 and ISAE 3402 are the attestation standards that address reporting on controls at a service organization. Separate audit standards exist for addressing audit considerations relating to an entity using a service organization.
Management Assertion Requires management to provide written representations in the form of a management representation letter that is obtained by the service auditor prior to the issuance of the SAS 70 audit report, but does not require management assertions like those required by SSAE 16 and ISAE 3402. Management of service organizations are required to provide a written assertion in the body of the report about the fair presentation of the description of the service organization's system, the suitability of the design of the controls, and in the case of a Type 2 report, the operating effectiveness of the controls. These assertions accompany management's description of the service organization's system and are similar in nature to those that were previously included in SAS 70 audit management representation letters. A separate management representation letter is also required.
Suitable Criteria Management assertion, and the underlying suitable criteria, are not a component of a SAS 70 audit report. A service organization's management is responsible for specifying the criteria that it used to prepare the description of its system. The minimum suitable criteria are described in the standards and are the determining factor as to whether an assessment constitutes an SSAE 16 Type 1 or Type 2 audit.
Suitability of Design of Controls Type 1 and Type 2 opinion letters opine on the suitability of design of controls as of a specified date in time. Similar to SAS 70 audits, SSAE 16 Type 1 opinion letters opine on the suitability of design of controls as of a specified date in time. However, Type 2 opinion letters are now required to opine on the suitability of design of controls over the entire specified review period.
Evidence Obtained in Prior Engagements A service auditor may use evidence from prior service auditor's engagements to reduce the nature, timing, and extent of the tests of operating effectiveness. A service auditor may not use evidence obtained in prior engagements about the satisfactory operation of controls in prior periods to provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.
Use of Internal Audit's Work Product A service auditor is not required to disclose its use of internal audit's work product. In the case of an SSAE 16 Type 2 report, a service auditor is required to disclose the nature and extent to which it relied on the work of the internal audit function in its description of tests of controls. The service auditor's procedures with respect to that work must also be disclosed.
Restriction of Report Use Standard opinion letter language restricts use of the report to the service organization's management, its customers, and their customers' financial statement auditors. Standard opinion letter language is modified to restrict use of the report to the service organization's management, customers of the service as of a specified date (in the case of an SSAE 16Type 1 report), or during the specified review period (in the case of an SSAE 16 Type 2 report), and the customers' financial statement auditors.
Inclusive Reporting Method No requirement to obtain representations from subservice organizations prior to including its controls in a service organization's SAS 70 audit report. Subservice organizations are required to provide assertions and written representations similar to those provided by the service organization's management. The inclusive reporting method can not be applied if a subservice organization refuses to provide relevant management assertions and a management representation letter.