This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Key considerations of ISAE 3402/SSAE 16

The standards ISAE 3402 and SSAE 16 require that management of the service organisation provides a written assertion attesting to the fair presentation and design of controls (in a Type 1 report) or the fair presentation, design, and operating effectiveness of controls (in a Type 2 report). This written assertion is separate from the written representations obtained from management.

Under these standards, engagements are considered `assertion-based´: management is required to provide a written assertion, even though the auditor will continue to report on the subject matter (i.e. whether controls are fairly presented, suitably designed, and [in a Type 2 report] operating effectively).

In order to provide a written assertion, management will need to have a reasonable basis for making the assertion, which may include developing their own processes to support the assertion if such processes are not already in place. ISAE 3402 and SSAE 16 provide specific requirements that management must meet in order to provide a written assertion.

For instance, management is required to:

  • Select suitable criteria, which will be used to prepare its description of the system as well as to evaluate whether controls were suitably designed (Type 1 report) or suitably designed and operating effectively (Type 2 report)
  • Identify the risks that threaten the achievement of the control objectives stated in the description

Therefore, management is not able to rely solely on the testing performed by the service auditor to provide their assertion.

If the service organisation relies on controls at a subservice organisation and management elects to use the inclusive method (that is, management’s description of the service organisation’s system includes controls at the subservice organisation), management will also need to determine whether controls at the subservice organisation are suitably designed or suitably designed and operating effectively, depending on whether they are executing a Type 1 or Type 2 report.

In order to make this determination and to support their own assertion, management of the service organisation would need to obtain a written assertion from management of the subservice organisation. If the management of a service organisation does not provide an assertion, the service auditor will not be able to accept the engagement.

Management written assertion: example activities

  Level of assertion
Example procedures Service auditor performs testing and issues report - Management reporting and other oversight activities
- Management risk assessment
- Internal audit testing/monitoring
- Independent regulatory examination
- Independent risk assessment
Management or independent assessment of operating effectiveness of controls
Supporting documentation None - Management monitoring documentation
- Management risk assessment documentation
- Internal audit reporting
- Regulatory reporting
- Independent risk assessment results
Testing evidence for the operating effectiveness of controls

A combination of ongoing monitoring and separate evaluations will usually help ensure that internal control maintains its effectiveness over time.


  • Laurent Berliner
    Partner - EMEA Financial Services Industry Enterprise Risk Services Leader
  • Ruth Bültmann
    Partner - Strategy & Corporate Finance
  • Michaël Blaise
    Directeur - Business Risk

Focus on

  • ISAE 3402 and SSAE 16 (replacing SAS 70) - Reinforcing confidence through demonstration of effective controls | Brochure
    In choosing Deloitte as your ISAE 3402/SSAE 16 source, you choose a firm able to offer the services required to address such a multidisciplinary challenge
  • Third party assurance reports - Challenges and opportunities | Podcast
    Discussion on the growing need for third-party assurance reports and related challenges and opportunities.
  • Gouvernance des risques - Adieu SAS 70 et bienvenu ISAE 3402 et SSAE 16 | Press article
    En réponse au développement de la sous-traitance d’activités conjugué à la crise, l’utilisation de rapports d’assurance sur les contrôles de prestataires de services de type SAS70 n’a cessé de s’accroître.



Stay connected:
Get connected
Share your comments
More on Deloitte Luxembourg
Learn about our site

Recently published