In many cases, the determination of whether to follow the standards of ISAE 3402 or the SSAE 16 will be clear. SSAE 16 will be the standard used for service organisations located and operating in the U.S. while the ISAE 3402 standard will be used by all other companies.
However, with the continuing globalisation of business, many service organisations have operations and/or customers within as well as outside the U.S. In these cases, the determination of which standard to use may not be as clear. Many may wish to consult with their auditor to assist in the decision.
Due to the efforts of the AICPA to converge the SSAE standard with the international standard ISAE 3402, the two standards are fairly similar. Thus, it is possible for a service organisation to have an examination performed under both sets of ISAE 3402 and SSAE 16 standards.
Principal differences between ISAE 3402 and SSAE 16
|U.S. standard: SSAE 16||International standard: ISAE 3402|
|Use of report||Report required to specifically state that is restricted to the intended users||Report required to state that it is only intended for user entities and their auditors, but may also include restrictive use language|
|Intentional acts||Service auditor considers impact of intentional acts on the report||Silent on this requirement|
|Subsequent events||Service auditor to consider Type 2 subsequent events after the report date||Does not require auditor to consider events after the report date|
|Reporting||Does not enable a service auditor to conclude that a deviation identified when performing tests of controls involving sampling is not representative of the population from which the sample was drawn||Enables a service auditor to conclude that a deviation identified when performing tests of controls involving sampling is not representative of the population from which the sample was drawn|