SSAE 16 differs from SAS 70 in a number of areas; the most fundamentally important aspect being that SSAE 16 is an “attestation” standard, while SAS 70 is an “auditing” standard.  The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) felt that examining a service organization’s “system” and their controls is not considered an audit of financial statements, thus it should not be categorized as that.

Additionally, the ISAE 3402 standard, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC), is an “assurance” standard, which is essentially equivalent to the SSAE 16 “attestation” standard.  Learn more about NDNB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.

As for reporting requirements for service organizations, SSAE 16 requires a description of one’s “system” along with a written assertion by management, whereas SAS 70 requires a description of “controls” and no written assertion.  The key difference between the SSAE 16 description of its “system” and the SAS 70 auditing standard’s description of “controls” is that many organizations may find themselves having to revise their prior descriptions to meet the new requirements for SSAE 16 reporting.

Generally, most practitioners seem to agree that the SSAE 16 requirements for a description of its “system” are considered more comprehensive and expansive than the SAS 70 auditing standards description of “controls”.

Contact NDNB, a nationally recognized CPA firm for helping your organization prepare for the new SSAE 16 reporting requirements.