ISAE 3402 and SSAE 16

In December 2009, the International Auditing and Assurance Standards Board (IAASB) issued International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization. ISAE 3402 was created to address engagements undertaken by a professional accountant to report on the controls at a third-party organization that provides a service to user entities when those controls are likely to be part of user entities’ information systems relevant to financial reporting.

In January 2010, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, that is similar to the international standard and supersedes Statement on Auditing Standards (SAS) No. 70,Service Organizations.

The new ISAE 3402 and SSAE 16 standards are effective for reports for periods ending on or after 15 June 2011, with early adoption permitted. Because many reporting periods cover 12 months and begin in July, the new standards will affect many organizations as early as 1 July 2010.

While SAS 70 has worked well for many years, a number of factors drove the need for the new standards, including:

Globalization of business process outsourcing
Business process outsourcing has grown from regional shared service organizations created by specific industries to multinational and local organizations serving many different industries for a mixture of local, regional and international organizations. As a result, the information required in a SAS 70 report may no longer be sufficient for user entities.

SAS 70 is a US standard
While SAS 70 is used globally, it is a US standard and engagements must be performed in accordance with the AICPA US Auditing Standards. Consequently, current reports may not respond to the needs of user entities and their auditors outside the US.

Service organization’s report versus service auditor’s report
SAS 70 was developed as an auditor-to-auditor communication, a way for the service auditor to share audit work papers with the user auditor, who then could rely on this work in planning and executing the financial statement audit. However, the regulatory landscape has seen significant changes, and governments, regulators, boards of directors and financial statement users are placing ever-increasing emphasis on internal control over financial reporting. These stakeholders, as well as the user auditors, now need a report from and by the service organization describing its internal control. This, in turn, significantly increases the importance of management’s description of its system. The independent service auditor’s opinion remains critical, but its role is as a provider of assurance, not the entity responsible for the communication.

While similar to SAS 70, the new standards will require changes to service organizations’ reporting processes and reports. For some service organizations, these changes will be relatively minor. For others, significant efforts will be required to change their reports, reporting processes, or both.

For more information on ISAE 3402 and SSAE 16, as well as, an explanation of:

  • Service organization responsibilities under the new standards
  • Changes to service auditor responsibilities under the new standards
  • Impact on reports with inclusive subservice organizations
  • Action steps to implement the new standards

see this “Insights on IT Risk” publication from Ernst & Young.