Compliance White Papers

Taking the hassle out of staying compliant

Get A Fixed Fee Quote Today Request a Free Quote

SOC 1 (SSAE 16/SSAE 18) and ISAE 3402 share many similarities indeed, both being standards put forth that have fundamentally reshaped the regulatory compliance landscape for reporting on controls at service organizations. Come June 15, 2011, the well-recognized SAS 70 auditing standard was replaced by SSAE 16, allowing the new U.S. standard along with ISAE 3402 and other region specific standards to become the dominant platforms for reporting on controls at service organizations.  then, for issuing of SOC reports on or after May 1, 2017, SSAE 18 superseded SSAE 16.

A Collaborative Effort by Various Standard Setting Bodies

SSAE 16/SSAE 18 and ISAE 3402 are the result of a collaborative effort put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC) and the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Both entities closely aligned each of their respective standards in an attempt to follow a growing move towards more international, globally accepted accounting standards. The IAASB took the lead in establishing the new ISAE 3402 standard, with the ASB following closely behind and adopting a "convergence" ideology in developing the framework for SSAE 16/SSAE 18 that was to closely mirror ISAE 3402.

Two Important Points to Note

The two most important elements that distinguish SSAE 16/SSAE 18 and ISAE 3402 from the SAS 70 auditing standard is that management of the service organization must provide a description of its "system" along with a written assertion. This will no doubt require careful planning and consideration from the service organization for ensuring these reporting requirements are met. And while the SAS 70 auditing standard called for a description of “controls”, the SSAE 16/SSAE 18 and ISAE 3402 standards call for a description of the service organization’s “system”, which can be quite broad and extensive when reading the final language for the SSAE 16/SSAE 18 and ISAE 3402 standards. 

Subtle Differences Between SSAE 16/SSAE 18 and ISAE 3402

However, there are indeed a number of differences between SSAE 16/SSAE 18 and ISAE 3402, and a qualified service auditor can explain these to your organization, if necessary. Most of these difference can be looked upon as technical in nature, as the overriding platform of SSAE 16/SSAE 18 and ISAE 3402 are vastly similar.  SSAE 16/SSAE 18 and ISAE 3402 will effectively become the dominant standards used for reporting on controls at service organizations. It is unclear at this point what role any of the existing country and regional specific standards will have. SAS 70 is long gone, so say hello to the SSAE 18 standard.

NDNB - North America's Leading Provider of SOC 1 (SSAE 16/SSAE 18) - Fixed Fees

Please contact us today or call Christopher G. Nickell, CPA, to learn more about NDNB’s competitive, fixed-fee pricing for SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 reporting. 1-800-277-5415, ext. 706.

Since 2006, NDNB has been setting the standard for security & compliance regulations