Differences between SAS 70 and SSAE 16

  • Attestation vs Audit: In new standard attestation is the focus rather than the audit.
  • Management Assertion: A written assertion has to be provided by Management.
  • System Description: Management is also responsible for providing its description of the service organization’s system (“the system”) rather than just controls.
  • Sub-Service Organizations: In case of inclusion of the Sub-Service Organizations, Sub-Service organizations are required to provide a similar assertion.
  • Audit Focus: Service Auditor focus in a Type 2 report is the suitability of the design of controls related to the control objectives for the period under Reporting.
  • Internal Audit: SSAE 16 permit the Service Auditor to use the work of an internal audit function. Service auditor need to disclose any such use within the report.