This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Which standard to follow?

In many cases, the determination of whether to follow the standards of ISAE 3402 or the SSAE 16 will be clear. SSAE 16 will be the standard used for service organisations located and operating in the U.S. while the ISAE 3402 standard will be used by all other companies.

However, with the continuing globalisation of business, many service organisations have operations and/or customers within as well as outside the U.S. In these cases, the determination of which standard to use may not be as clear. Many may wish to consult with their auditor to assist in the decision.

Due to the efforts of the AICPA to converge the SSAE standard with the international standard ISAE 3402, the two standards are fairly similar. Thus, it is possible for a service organisation to have an examination performed under both sets of ISAE 3402 and SSAE 16 standards.

Principal differences between ISAE 3402 and SSAE 16

  U.S. standard: SSAE 16 International standard: ISAE 3402
Use of report Report required to specifically state that is restricted to the intended users Report required to state that it is only intended for user entities and their auditors, but may also include restrictive use language
Intentional acts Service auditor considers impact of intentional acts on the report Silent on this requirement
Subsequent events Service auditor to consider Type 2 subsequent events after the report date Does not require auditor to consider events after the report date
Reporting Does not enable a service auditor to conclude that a deviation identified when performing tests of controls involving sampling is not representative of the population from which the sample was drawn Enables a service auditor to conclude that a deviation identified when performing tests of controls involving sampling is not representative of the population from which the sample was drawn

Contacts

  • Laurent Berliner
    Partner - EMEA Financial Services Industry Enterprise Risk Services Leader
  • Ruth Bültmann
    Partner - Strategy & Corporate Finance
  • Michaël Blaise
    Directeur - Business Risk

Focus on

  • ISAE 3402 and SSAE 16 (replacing SAS 70) - Reinforcing confidence through demonstration of effective controls | Brochure
    In choosing Deloitte as your ISAE 3402/SSAE 16 source, you choose a firm able to offer the services required to address such a multidisciplinary challenge
  • Third party assurance reports - Challenges and opportunities | Podcast
    Discussion on the growing need for third-party assurance reports and related challenges and opportunities.
  • Gouvernance des risques - Adieu SAS 70 et bienvenu ISAE 3402 et SSAE 16 | Press article
    En réponse au développement de la sous-traitance d’activités conjugué à la crise, l’utilisation de rapports d’assurance sur les contrôles de prestataires de services de type SAS70 n’a cessé de s’accroître.

Share

 

Stay connected:
Get connected
Share your comments
More on Deloitte Luxembourg
Learn about our site

Recently published