Differences between SAS 70 and SSAE 16
- Attestation vs Audit: In new standard attestation is the focus rather than the audit.
- Management Assertion: A written assertion has to be provided by Management.
- System Description: Management is also responsible for providing its description of the service organization’s system (“the system”) rather than just controls.
- Sub-Service Organizations: In case of inclusion of the Sub-Service Organizations, Sub-Service organizations are required to provide a similar assertion.
- Audit Focus: Service Auditor focus in a Type 2 report is the suitability of the design of controls related to the control objectives for the period under Reporting.
- Internal Audit: SSAE 16 permit the Service Auditor to use the work of an internal audit function. Service auditor need to disclose any such use within the report.