This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

ISAE 3402 and SSAE 16 defined

Overview of service organisation control reports

Service organisation control reports are reports on the internal control structure for organisations that provide transaction processing services.

The objective of a service organisation control report is to provide clients of a service organisation and their independent auditors with information on policies, procedures and controls that may be relevant to their internal control structure and their financial statements.

The clients use the report to understand the adequacy and operating effectiveness of their service provider’s controls.

The client’s auditors use the report to understand controls related to a service that is likely to be relevant to clients' internal control, as it relates to financial reporting, and to reduce or eliminate audit procedures at the service organisation.

Service organisation control reports have become increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards N° 70, Service Organisations (SAS 70) in 1992.

Replacing SAS70

The International Auditing and Assurance Standards Board (IAASB) issued a new international standard for engagements to report on controls at service organisations. At the same time, the American Institute of Certified Public Accountants (AICPA) also redrafted SAS 70.

The new standards have become effective for assurance reports covering periods ending on or after June 15 2011. These revisions of SAS 70 represent the first significant modifications to the standard since it was issued nearly two decades ago. While the standards issued by the IAASB and AICPA are not significantly different from each other, they do present some changes from SAS 70 that may prove challenging for some service organisations.

One reason for the change is that prior to the IAASB’s development of International Standard on Assurance Engagements 3402 (ISAE 3402), there was no global standard for engagements to report on controls at a service organisation. SAS 70 is a U.S. standard, and although it has been used for engagements outside the U.S., the IAASB saw a need to develop an internationally recognised standard.

The AICPA, as part of its efforts to converge its U.S. standards with those of the IAASB, followed suit and issued a new Statement on Standards for Attestation Engagements No. 16 (SSAE 16) that replaced SAS 70 and mirrored ISAE 3402.

The new standards by the IAASB and AICPA are not aimed at overhauling how an engagement to report on controls at a service organisation is performed. Rather, they have been issued to meet the demands of the current market environment and to fit into the modern framework of assurance standards.

A short history of audit requirements for service organisations:

  • 1992 - Development of SAS 70 by the AICPA.
  • 2002 - Passage of the Sarbanes-Oxley Act of 2002 leads to much wideruse of SAS 70.
  • 2008/ 2009 - IAASB begins development of international standard on service organisations. AICPA SAS 70 task force begins redrafting SAS 70.
  • 2010 - A global standard to be issued by the IAASB called ISAE 3402 and a new U.S. standard to be issued by the AICPA, called SSAE No. 16 to replace SAS 70.
  • 2011 - For examination periods ending on or after June 15, 2011, service auditors are required to comply with either SSAE No. 16 or ISAE 3402.

Assessment of your internal control maturity

Contingent on to the maturity of a service organisation with their internal control framework, two types of ISAE 3402/ SSAE 16 reports can be issued, resulting from the independent assessment:

A Type 1 report covers controls placed in operation as of a point in time and is considered to be of limited use as it does not cover the operating effectiveness of the controls. Typically, service organisations undertake a Type 1 examination only in their first year of going through such an examination as they may lack the evidential documentation supporting the operating effectiveness of the controls.

Alternatively, a Type 2 report covers controls placed in operation and tests of operating effectiveness for a period of time (generally not less than 6 months and not more than 12 months). This type of report may be utilised by clients and client financial statement auditors for control reliance purposes for an audit, as the differentiating factor is that a Type 2 report includes tests of operating effectiveness and the corresponding results within the report.

A Type 2 report is most beneficial to an organisation since it tests the effectiveness of the controls over the period of time and it is most often requested and expected by a service organisation’s clients.

Type 1 ISAE 3402 or SSAE 16 report - Reports on controls placed in operation

  • A report on controls placed in operation (as of a point in time)
  • Looks at the existence and design of controls - not at their operating effectiveness
  • Considered for information purposes only
  • Not considered useful for purposes of reliance by user auditors
  • Generally performed the first year a service organisation has a ISAE 3402/SSAE 16

Type 2 ISAE 3402 or SSAE 16 report Reports on controls placed in operation and tests of operating effectiveness

  • A report on controls placed in operation and tests of operating effectiveness (for a period of time, not less than 6 months and not more than 12 months)
  • Differentiating factor: includes tests of operating effectiveness
  • More emphasis on evidential matter
  • Requires more internal and external effort
  • May provide the user auditor with a basis for reducing audit procedures at the service organisation

ISAE 3402/SSAE 16 report structure

Section one Independent service auditor's report (the 'Opinion')
Section two Written assertion provided by the service organisation
Section three Description of internal controls and control objectives (provided by the service organisation)
Section four Information provided by the independent service auditor (includes tests of operating effectiveness and testing results for a Type 2 report)
Section five Other information provided by the service organisation (optional)

Contacts

  • Laurent Berliner
    Partner - EMEA Financial Services Industry Enterprise Risk Services Leader
  • Ruth Bültmann
    Partner - Strategy & Corporate Finance
  • Michaël Blaise
    Directeur - Business Risk

Focus on

  • ISAE 3402 and SSAE 16 (replacing SAS 70) - Reinforcing confidence through demonstration of effective controls | Brochure
    In choosing Deloitte as your ISAE 3402/SSAE 16 source, you choose a firm able to offer the services required to address such a multidisciplinary challenge
  • Third party assurance reports - Challenges and opportunities | Podcast
    Discussion on the growing need for third-party assurance reports and related challenges and opportunities.
  • Gouvernance des risques - Adieu SAS 70 et bienvenu ISAE 3402 et SSAE 16 | Press article
    En réponse au développement de la sous-traitance d’activités conjugué à la crise, l’utilisation de rapports d’assurance sur les contrôles de prestataires de services de type SAS70 n’a cessé de s’accroître.

Share

 

Stay connected:
Get connected
Share your comments
More on Deloitte Luxembourg
Learn about our site

Recently published