SSAE16 has replaced SAS70 as the official audit standard for companies in the service industry. It is important for CIOs to learn how the new standard is different from SAS70 to enable the organization to function effectively. In this article, we’ll take a look at the core differences between the two.
Brief Overview of SAS70
SAS70 was created by the American Institute of CPAs nearly 20 years ago. It was an approach that service providers use with their customers. There was SAS70 Type 1 and SAS70 Type 2 audit. The former assesses the sufficiency of control available in service companies as of a particular date while the latter looks into the effectiveness of the control. In essence, the Type 1 audit determines if the company has property designed their controls to meet the requirement standard. The Type 2 audit tests the controls to see if they are really working.
If your organization uses third-party services, it is highly likely that it is heavily reliant on SAS70 Type 2 reports. It determines whether your company is complying with industry standards and it also helps the company improve governance standards. CIOs incorporated the audit reports in all IT contracts under vendor management to meet compliance requirements.
Brief Overview of the SSAE16
The SSAE16 is the new standard for service organizations. It contains a variety of improvements from the SAS70 Type 2 reports. Similar to its predecessor, the SSAE16 will be used when an organization outsources a task or function which has results that should be included in the financial statement. Its structure provides a lot of benefits to CIOs and IT service firms.
In addition, SSAE16 also has broader application compared to the SAS70 reports. For example, it can be used by data center companies, IT outsourcing firms, managed enterprises, cloud hosting providers and payroll providers among others.
Main Differences between SAS70 and SSAE16
- Attestation vs. Audit – the examination of service providers is now considered an “attest” activity rather than just of an “audit” activity.
- System vs. Control – in the SAS70, service providers must only look into the “controls”. With the SSAE16, they must address the entire system.
- Time Period – in SSAE16 Type 2, an auditor’s opinion must cover a specific timeframe rather than just looking at a specific date.
- Sub-Organizations – the service providers that depend on sub-contractors must address the issues of their own service providers. This ensures that the entire “system” complies with the standards.