Usually, when you look out to get an independent controls attestation for your organization by a third party service auditor, you may come across many ways of getting that done. You can either get a SOC 1 or SOC2 audit done (Type I or Type II) based on your requirements and choose your attestation standards for the report i.e. either ISAE the UK standard, No. 3402 being the latest one or the SSAE (the US standard, No. 18 being the latest). In this article, we will touch upon both the standards, their managing authorities and the key differences which will help you understand what exactly they are and identify the best one for yourself.
ISAE stands for International Standards on Attestation Engagements (the UK standard) which is managed by IAASB (International Auditing & Assurance Standards Board) which in turn reports to IFAC (International Federation of accountants).
SSAE stands for Statement on Standards of Attestation Engagements (the US standard) and is managed by AICPA (American Institute of Certified Public Accountants) which reports to FASB (Financial Accounting Standards Board).
Principally both the standards are designed to achieve the same objective in terms of reporting the establishment of effectively designed controls over financial reporting and each service organizations may need to provide reports to their clients (user entities) according to different standards. For the service organizations catering services within United States, SSAE18 is best suited. While for the ones providing services outside US, reporting can be done in accordance with the ISAE 3402 standards (termed as a combined report).
Further, there are a few key differences when it comes to performance and reporting style of both the standards. Below are the major key differences which one should know:
• Investigation of the Intentional Acts
Both the standards require the investigation of any deviations identified during the testing. They direct the service auditor to investigate the noted deviations that could have been caused by an intentional act of service organization’s (SO) personnel. The SSAE 18 directs that the auditor should receive a written representation from SO management detailing any actual or suspected intentional acts (like employee committing frauds) that could impact the fair presentation of management’s description of the system. However, the ISAE 3402 does not explicitly require auditors to obtain the written representations.
• Dealing with Operating Anomalies
Any finding that deviates from the standard is an Operating Anomaly. SSAE 18 treats all deviations in the same manner, rather than as an anomaly. However, ISAE 3402 contains a requirement that allows a service auditor to conclude that any identified deviation while testing a sample of the control can be considered an anomaly. The idea is that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn.
• Assistance from Internal Audit Team
SSAE 18 enables the use of direct assistance from the service organization’s internal audit function in accordance with the U.S. audit standards guidance. ISAE 3402 does not allows the use of the internal audit function for direct assistance.
• Subsequent Events
SSAE 18 calls out that the service auditor should report any event that could be significant in order to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended. However, ISAE 3402 restricts the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report.
• Statement on Restricting Use of the Service Auditor’s Report
SSAE 18 requires that the auditor’s report should include a statement restricting the use of the report to management of the service organization, user entities, and user auditors. However, ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities & user auditors but does not require a statement restricting its use.
• Acceptance of Engagement and Continuation
SSAE 18 directs that management should acknowledge and accept the responsibility of providing the service auditor with written representations at the conclusion of the engagement. However, ISAE 3402 does not requires this acknowledgment.
• Disclaimer of Opinion
If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor deny an opinion after discussing the concern with management. If this happens, the auditor can carry out the required action. SSAE 18 requires that the service auditor takes an action or withdraws from the engagement. The SSAE 18 also contains certain incremental requirements for a situation where auditor plans to deny any opinion.
• Elements of the Section 801 Report That Are Not Required in the ISAE 3402 Report
SSAE 18 contains certain requirements that are additional to those in ISAE 3402. These requirements are as follows:
o The identification of any information included in the documentation that is not covered by the service auditor’s report.
o A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the fulfillment of the control objectives
o A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives.
o A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and suitability of the control objectives stated in the description.
We believe, that the article what have enhance your understanding of the two standards and their key differences. Please reach out us if you still have any queries or for any further information.