What are the similarities and difference when it comes to SSAE 16 vs. ISAE 3402? That's a question posed often by interested parties seeking learn more about the SSAE 16 AICPA attest standard and the IFAC ISAE 3402 assurance standard. They both have been developed for purposes of reporting on controls at service organizations, and they both also are a result of collaborative efforts by the AICPA and IFAC.

As for the similarities, notable points are the following:

1. Both SSAE 16 and ISAE 3402 reports can be "Type 1" or "Type 2"
2. They both require a description of their "system", along with requiring management of the service organization to provide a written statement of "assertion".
3. They are issued by Certified Public Accountants (CPA) and Chartered Accountants (CA) - official designations in the field of accountancy.
Additionally, both standards closely align themselves in many other areas, and they both originated out of a collaborative effort by notable entities (AICPA, IFAC) to create more globally accepted accounting principles. ISAE 3402 was going to move forward, and the AICPA – already having plans to retire the aging SAS 70 auditing standard – put forth the SSAE 16 standard that contained many elements of ISAE 3402. In fairness, no one standard was really “ahead” of the other – rather –a joint effort was initiated to create both SSAE 16 and ISAE 3402. Additionally, they’re both experiencing great success, as witnessed by the overwhelming acceptance and adoption of SSAE 16 and ISAE 3402 on the global business arena.  Learn more about NDB's compliance expertise and the complimentary SOC 2 Policy Packets, along with our complimentary PCI DSS Policy Packets and also SOC 1 Policy Packets we provide to our clients for each enagement. It truly makes a difference for each audit!

SSAE 16 & ISAE 3402 Differences worth Noting
But there are differences for which interested parties should be aware of, such as the following:

• Intentional Acts by Service Organization Personnel
• Anomalies
• Direct Assistance
• Subsequent Events
• Statement Restricting Use of the Service Auditor’s Report
• Documentation Completion
• Engagement Acceptance and Continuance
• Disclaimer of Opinion
• Elements of the SSAE Report that are not Required in the ISAE 3402 Report

NDB | SSAE 16 & ISAE 3402 Reporting Compliance Experts
These aforementioned areas can be explained to you in a comprehensive manner by a competent and well-qualified Licensed CPA and HITRUST Firm, such as NDB. In all honestly, most of these difference are technical in nature, along with being the responsibility of the practitioner (i.e. CPA or CA) conducting the actual SSAE 16 or ISAE 3402 assessment. If you really want to learn about these technical differences, then visit the official AICPA bookstore and purchase the following document: “Reporting on Controls at a Service Organization – SSAE 16”. Call 1-800-277-5415, ext. 706, and speak with Christopher G. Nickell, CPA, to discuss NDB’s SSAE 16 and ISAE 3402 competitive, fixed-fee services for Type 1 and Type 2 reporting.