The Statement on Standards for Attestation Engagements No.16 and International Standard on Assurance Engagements No.3402 are the new standards for reporting on service organization controls. They replace the former de facto standard, SAS 70.

SSAE 16 and ISAE 3402 attestations are specifically designed for service organizations that provide services to clients (user entities). The new Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3), are based on:

• SSAE 16, Reporting on Controls at a Service Organization for SOC 1
• Trust Services Principles, Criteria and Illustrations plus AT Section 101, Attest Engagements for SOC 2 and SOC 3

Replacing SAS 70

Since 1992, SAS 70 provided the guidance for reporting on internal controls over financial reporting at service organizations. The two key authorities, the American Institute of Certified Public Accountants (AICPA)and the International Auditing and Assurance Standards Board (IAASB), acknowledged SAS 70's limits and the need for uniform standards as well as rapidly evolving technology, economic globalization, greater demand for transparency and increased financial reporting  risks. Both bodies issued new standards to replace SAS 70 officially on June 15, 2011 with SSAE 16 and ISAE 3402.

• SAS 70, while it was developed solely for ICFR, was often misused for compliance and operations assurance purposes due to a lack of alternative standards
• With the increasing globalization of business, there was a corresponding need for globally accepted accounting principles and standards (resulting in ISAE 3402); in addition, technology advancements expanded the environment for risk beyond the scope of SAS 70
• The new standards provide the framework for internal control over financial reporting (ICFR) as well as compliance and operations, incorporating trust services criteria related to security, availability, processing integrity, confidentiality and privacy
• AICPA's SOC reporting approach is based on SSAE 16 and other guidance, providing a broader scope and flexibility with three distinct reports to target specific needs

The new standards and new reporting approach (SSAE 16 AND ISAE 3402

The IAASB issued ISAE 3402 in December 2009. The AICPA issued SSAE 16 soon after.

These attestation standards address engagements undertaken by a service auditor for reporting on controls at service organizations that provide services to user entities (customers), for which a service organization's controls are likely to be relevant to the user entities. User entities in reality take on many of the risks of their outsource partners. These attestation standards provide the framework for CPAs to report on the internal controls over financial reporting (ICFR) as well as compliance and operations of the service organizations in order to determine and demonstrate the effectiveness of internal controls.

SSAE 16; ISAE 3402; Trust Services Principles, Criteria and Illustrations; and AT 101, Attest Engagements provide a broad platform to address financial plus operational and compliance related risks. AICPA developed its Service Organization Controls reporting approach and three SOC reports to cover this broader spectrum of service organization internal controls reporting needs.

SOC reports provide the framework for CPAs to examine controls and report findings to organizations' management and relevant users to help them understand related risk in a structured, reliable manner.

With the new standard and report approach, and SOC 1, SOC 2 and SOC 3 report deliverables, service organizations and user entities can describe and document more precisely how services are being delivered and how controls are deployed within the organization’s domains of finance, operations and/or compliance.

SSAE 16 vs. ISAE 3402

The US standards SSAE 16 and the international standard ISAE 3402 are tightly aligned, with some subtle differences. Either can be employed for reporting on internal controls over financial reporting at service organizations and the choice can depend on the national or global nature of the business.

Note that the new standards and SOC reporting options provide you with an expanded choice to target your internal controls reporting more precisely than ever before. SJU can help you decide which format is right for your business.

SJU: Expertise applying the new standards

SJU is one of the leading providers of attestation reporting based on historical SAS 70, SSAE 16 or ISAE 3402 standards. We offer expertise on the new attestation frameworks, which enable us to provide relevant opinions on management assertions pertaining to IT system descriptions regarding fairness of presentation, suitability of design and operating effectiveness of the relevant controls that substantiate management's objectives.

We examine the design of your controls to:

• Identify risks
• Evaluate effectiveness of the internal controls identified by management
• Provide assurance that management misstatements are prevented, detected and corrected, and that control objectives are achieved

We are fully qualified to issue SOC 1, SOC 2 or SOC 3 reports, and SSAE 16 and ISAE 3402 attestation services, depending on internal control reporting needs relating to:

• Financial
• Compliance
• Operations

You receive analysis and reporting on your internal controls based on the most current standards in order to satisfy the requirements of entities such as user entities/businesses, auditors, regulators or for genreal market awarness.

We can also meet your reporting needs by deciding on an appropriate "type" of SOC report, following AICPA requirements.

To learn more, feel free to visit the Service Organization Control FAQ