Questions and Answers

Common questions on rapidly changing compliance regulations

Get A Fixed Fee Quote Today Request a Free Quote

SSAE 16 differs from SAS 70 in a number of areas; the most fundamentally important aspect being that SSAE 16 is an “attestation” standard, while SAS 70 is an “auditing” standard.  The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) felt that examining a service organization’s “system” and their controls is not considered an audit of financial statements, thus it should not be categorized as that.

No. SSAE 16 compliance does not result in becoming SSAE 16 “certified”.  Using the term “certified” is technically incorrect and unfortunately became a common phrase in the era of SAS 70 auditing.  There is no certification awarded or granted upon completing an SSAE 16 attestation engagement.  Rather, the more technically correct wording one may use it that a service auditor has performed an attestation engagement to report on controls at a service organization, which resulted in the issuance of an SSAE 16 Type 1 or SSAE 16 Type 2 report.

ISAE 3402, The International Standard on Assurance Engagements, was put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board within the International Federation of Accountants (IFAC). ISAE 3402 essentially becomes the new globally recognized standard for assurance reporting on service organizations.  As a result of the issuance of ISAE 3402, auditors now have the ability to use a globally accepted framework, whereas in the past, Statement on Auditing Standards No. 70 (SAS 70) was the de facto standard that was largely used. ISAE 3402, much like that of the U.S. SSAE 16 standard, requires management to provide a description of its "system" along with proving a written statement of assertion by management.

For purposes of SSAE 16, the "internal audit function" are the personnel within a service organization who perform the roles and responsibilities of an internal auditor.  The personnel that consist of the "internal audit function" can also be other personnel who perform similar roles to that of an internal audit, such as third-party entities or other even other personnel within the service organization itself.

The written assertion by management for SSAE 16 essentially contains a number of  provisions for which management of the service organization must "assert" to, such as the following:

In the near future, NDNB will be providing interested parties with a sample SSAE 16 Type 2 report. Please check back with us periodically as we are constantly updating this site for ensuring you have the most up-to-date, current, and relevant information regarding the SSAE 16 standard. Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.

Since 2006, NDNB has been setting the standard for security & compliance regulations

Free Sample Toolkit

Download A FREE SOC Audit Toolkit

Get My Toolkit