This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

ISAE 3402 and SSAE 16 (replacing SAS 70) - Reinforcing confidence through demonstration of effective controls | Brochure


ISAE 3402 and SSAE 16 defined

Overview of service organisation control reports

ISAE 3402 and SSAE 16Service organisation control reports are reports on the internal control structure for organisations that provide transaction processing services. The objective of a service organisation control report is to provide clients of a service organisation and their independent auditors with information on policies, procedures and controls that may be relevant to their internal control structure and their financial statements. The clients use the report to understand the adequacy and operating effectiveness of their service provider’s controls.

The client’s auditors use the report to understand controls related to a service that is likely to be relevant to clients' internal control, as it relates to financial reporting, and to reduce or eliminate audit procedures at
the service organisation.

Service organisation control reports have become increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards N° 70, Service Organisations (SAS 70) in 1992.

Replacing SAS70

The International Auditing and Assurance Standards Board (IAASB) issued a new international standard for engagements to report on controls at service organisations. At the same time, the American Institute of Certified Public Accountants (AICPA) also redrafted SAS 70.

The new standards have become effective for assurance reports covering periods ending on or after June 15 2011. These revisions of SAS 70 represent the first significant modifications to the standard since it was issued nearly two decades ago. While the standards issued by the IAASB and AICPA are not significantly different from each other, they do present some changes from SAS 70 that may prove challenging for some service organisations.

One reason for the change is that prior to the IAASB’s development of International Standard on Assurance Engagements 3402 (ISAE 3402), there was no global standard for engagements to report on controls at a service organisation. SAS 70 is a U.S. standard, and although it has been used for engagements outside the U.S., the IAASB saw a need to develop an internationally recognised standard. The AICPA, as part of its efforts to converge its U.S. standards with those of the IAASB, followed suit and issued a new Statement on Standards for Attestation Engagements No. 16 (SSAE 16) that replaced SAS 70 and mirrored ISAE 3402.

The new standards by the IAASB and AICPA are not aimed at overhauling how an engagement to report on controls at a service organisation is performed. Rather, they have been issued to meet the demands of the current market environment and to fit into the modern framework of assurance standards.

Assessment of your internal control maturity

Contingent on to the maturity of a service organisation with their internal control framework, two types of ISAE 3402/SSAE 16 reports can be issued, resulting from the independent assessment:

A Type 1 report covers controls placed in operation as of a point in time and is considered to be of limited use as it does not cover the operating effectiveness of the controls.

Typically, service organisations undertake a Type 1 examination only in their first year of going through such an examination as they may lack the evidential documentation supporting the operating effectiveness of the controls.

Alternatively, a Type 2 report covers controls placed in operation and tests of operating effectiveness for a period of time (generally not less than 6 months and not more than 12 months). This type of report may be utilised by clients and client financial statement auditors for control reliance purposes for an audit, as the differentiating factor is that a Type 2 report includes tests of operating effectiveness and the corresponding results within the report.

A Type 2 report is most beneficial to an organisation since it tests the effectiveness of the controls over the period of time and it is most often requested and expected by a service organisation’s clients.

The Deloitte ISAE 3402/SSAE 16, making the difference

Our ISAE 3402/SSAE 16 leadership

Our global Enterprise Risk Services practice

Our global Enterprise Risk Services (ERS) practice has more than 11,000 professionals in more than 60 countries.

These professionals are fully dedicated to providing ISAE 3402/SSAE 16, control assurance, internal audit and risk consulting services to a broad array of clients around the world.

Our network of dedicated ISAE 3402/SSAE 16 professionals

Deloitte specificity in providing ISAE 3402/SSAE 16 services is that our network of ERS practitioners comprises dedicated, full time professionals, not part-timers on loan from other practices.

Our globally integrated ISAE 3402/SSAE 16 services

Our ISAE 3402/SSAE 16 methodology, training resources, technical knowledgebase and internal quality reviews are integrated and coordinated globally and regionally so as to ensure consistency and the highest quality in the delivery of our ISAE 3402/SSAE 16 services all over the world.

Our strong experience in performing service organisation control examinations

We believe our experience in providing specialised service organisation control assurance examinations to many of the world’s leading companies speaks clearly for our ability to provide you with high-quality ISAE 3402/SSAE 16 services.

Our ISAE 3402/SSAE 16 distinctive approach

Choosing Deloitte

In choosing Deloitte as your ISAE 3402/SSAE 16 source, you are choosing a firm that is able to offer the vast array of services required to address such a multidisciplinary challenge. The result is a report informed by true 360-degree vision, one that takes into account every aspect of your operations and provides comprehensive third-party assurance worldwide. We can deliver superior ISAE 3402/SSAE 16 performance because we see your business with a broader and deeper perspective.

Depending on our client’s readiness level, we provide customised services designed to:

  • ISAE 3402/SSAE 16 readiness assistance
  • Type 1 ISAE 3402/SSAE 16 examination
  • Type 2 ISAE 3402/SSAE 16 examination
  • Local control report transformation into Type 2 ISAE 3402/SSAE 16 examination

Our business partnering approach

At Deloitte, we have the depth and breadth within our organisation to deliver leading practices to you on industry and ISAE 3402/SSAE 16 matters. We work with our clients to proactively identify value-added business insights, provide suggestions for improvement throughout the engagement as well as ensuring a smooth and consistent process.

Page Last Updated



Stay connected:
Get connected
Share your comments
More on Deloitte Luxembourg
Learn about our site

Recently published