SSAE 16 vs. SAS 70 Comparison Provided by NDB Accountants & Consultants

Share Article

SSAE 16 vs. SAS 70 and the changes that are coming for reporting on controls at service organizations is a hot topic these days in the accounting profession. After almost 19 years of service, SAS 70 is effectively being replaced by SSAE 16. Get the facts about the coming changes from one of the most nationally recognized CPA firms specializing in regulatory compliance.

The transition from SAS 70 to SSAE 16 is underway and service organizations need to be ready for the changes.

A New Standard Emerges

SSAE 16 vs. SAS 70 and the changes that are coming for reporting on controls at service organizations is a hot topic these days in the accounting profession and NDB Accountants & Consultants offers the facts about the coming changes in the following SSAE 16 vs. SAS 70 discussion.

The terms SSAE 16 and SAS 70 have been used quite extensively in the auditing world as of late, and for good reason. Statement on Auditing Standards No. 70, known simply as SAS 70 to many, is nearing the end of its lifespan after approximately 19 years of service. Since its inception in April of 1992, the US auditing standard gradually grew to become the global de facto framework used for reporting on controls at service organizations. From Canada to the Far East and Argentina to Australia, SAS 70 and its local derivative, became a well-known, widely used, and universally accepted audit mechanism that provided assurances to a large and ever-growing pool of user entities.

But as all things come to pass, Statement on Standards for Attestation Engagements (SSAE ) No. 16, known as SSAE 16, has been put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Its purpose was to replace an aging SAS 70 standard that needed to be refreshed, but more importantly, one that would keep pace with the growing push towards more globally accepted international accounting standards. Thus, SSAE 16 was born in 2010, an “attest” standard that closely mirrors its international “assurance” equivalent, ISAE 3402, which was issued by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC).

A look at SSAE 16 vs. SAS 70 can be seen as a natural modifying evolution of the dated standard and a transition of power from one governing accounting principle authority to another. The old guard is being replaced, and with that comes new ideas, requirements, and a fresh approach to compliance reporting on controls at service organizations and the responsibilities of the service organization being audited.

So, what are the differences between SSAE 16 and SAS 70? Let’s address the more notable points, as these constitute the “must know” issues for developing an initial understanding of the new standard. Sure, there are numerous technical differences, but they may have a marginal impact, if any, on the application of the standard and the underlying SSAE 16 engagement, so these issues may be left to the auditors, such as those at NDB Accountants & Consultants.

Audit vs. Attest
As an initial point of nomenclature, SSAE 16, unlike SAS 70, is an “attest” standard, falling under the attestation framework, and not that of the “auditing” framework, which is the origination of the SAS 70 standard. According to the AICPA, when examining ones’ controls at a service organization, this should not be considered an audit, rather, it should fall under the “attest” standards, hence the name Statement on Standards for Attestation Engagements (SSAE) no. 16. The term “audit” is expected to be reserved in accounting standards for use in relation to financial statement auditing standards.

Description of a "System" vs. Description of "Controls"
Also important to note are the new reporting requirements set forth by SSAE 16 and how they differ from that of the SAS 70 auditing standard. First, SSAE 16 requires a description of the “system”, whereas SAS 70 only called for a description of “controls”. Stressing the term “only” because shortly after the SSAE 16 standard was released, practitioners have largely agreed that the description of the term “system” can be seen as a more expansive and detailed requirement when compared to that of the SAS 70 description of “controls”. In fact, the SSAE 16 standard (published in 2010) provides details and illustrations of subject matter that should be included as part of the description of the “system”. Thus, it’s fair to assume that service organizations who undertook SAS 70 compliance in the past will have to thoroughly re-examine their prior description of “controls” for ensuring it meets the true intent of the SSAE 16 description of the “system.” A competent, well-qualified CPA firm may be able to assist you in this matter.

To view the full article, visit the official SSAE 16 Resource Guide White Paper

About NDB
NDB Accountants & Consultants (NDB) is a nationally recognized CPA and Advisory firm specializing in the field of regulatory compliance, ranging from SAS 70 audits, PCI DSS compliance, to HIPAA, FISMA, and GLBA compliance, just to name a select few. The last decade has seen security, governance, and compliance issue permeate all layers of business, due in large part to the Sarbanes Oxley Act of 2002 and various other state and federal laws and regulations. As such, NDB has been on the forefront of many of these compliance initiatives, developing highly efficient and cost-effective auditing methodologies, while providing first-class, resource rich web portals for educational purposes, such as the highly acclaimed SAS 70 Resource Guide, the PCI DSS Resource Guide along with the ISAE 3402 Resource Guide.

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Chris Nickell | East Coast

Charles Denyer | West Coast
Visit website