Skip to main content

SSAE 16 vs. ISAE 3402 | Understanding the Similarities and Differences | AICPA vs. IFAC


05 December 2017

Need a Compliance Expert? Let's Talk.

Want to learn more on how to achieve Cyber Resilience?

What are the similarities and difference when it comes to SSAE 16 vs. ISAE 3402? That's a question posed often by interested parties seeking learn more about the SSAE 16 AICPA attest standard and the IFAC ISAE 3402 assurance standard. They both have been developed for purposes of reporting on controls at service organizations, and they both also are a result of collaborative efforts by the AICPA and IFAC.

As for the similarities, notable points are the following:

1. Both SSAE 16 and ISAE 3402 reports can be "Type 1" or "Type 2"
2. They both require a description of their "system", along with requiring management of the service organization to provide a written statement of "assertion".
3. They are issued by Certified Public Accountants (CPA) and Chartered Accountants (CA) - official designations in the field of accountancy.
Additionally, both standards closely align themselves in many other areas, and they both originated out of a collaborative effort by notable entities (AICPA, IFAC) to create more globally accepted accounting principles. ISAE 3402 was going to move forward, and the AICPA – already having plans to retire the aging SAS 70 auditing standard – put forth the SSAE 16 standard that contained many elements of ISAE 3402. In fairness, no one standard was really “ahead” of the other – rather –a joint effort was initiated to create both SSAE 16 and ISAE 3402. Additionally, they’re both experiencing great success, as witnessed by the overwhelming acceptance and adoption of SSAE 16 and ISAE 3402 on the global business arena.  Learn more about NDB's compliance expertise and the complimentary SOC 2 Policy Packets, along with our complimentary PCI DSS Policy Packets and also SOC 1 Policy Packets we provide to our clients for each enagement. It truly makes a difference for each audit!

SSAE 16 & ISAE 3402 Differences worth Noting
But there are differences for which interested parties should be aware of, such as the following:

  • Intentional Acts by Service Organization Personnel
  • Anomalies
  • Direct Assistance
  • Subsequent Events
  • Statement Restricting Use of the Service Auditor’s Report
  • Documentation Completion
  • Engagement Acceptance and Continuance
  • Disclaimer of Opinion
  • Elements of the SSAE Report that are not Required in the ISAE 3402 Report

NDB | SSAE 16 & ISAE 3402 Reporting Compliance Experts
These aforementioned areas can be explained to you in a comprehensive manner by a competent and well-qualified Licensed CPA and HITRUST Firm, such as NDB. In all honestly, most of these difference are technical in nature, along with being the responsibility of the practitioner (i.e. CPA or CA) conducting the actual SSAE 16 or ISAE 3402 assessment. If you really want to learn about these technical differences, then visit the official AICPA bookstore and purchase the following document: “Reporting on Controls at a Service Organization – SSAE 16”. Call 1-800-277-5415, ext. 706, and speak with Christopher G. Nickell, CPA, to discuss NDB’s SSAE 16 and ISAE 3402 competitive, fixed-fee services for Type 1 and Type 2 reporting.


Download The Report

Get the details you need

Navigate Regulatory Compliance with NDB

We take the stress out of complex policies and requirements

What you need to know

Our Top Compliance FAQs

How can organizations guard against phishing attacks?
Phishing attacks remain a prevalent threat in cybersecurity. FAQs in this category might cover topics such as how to recognize phishing emails, common tactics used by cybercriminals, and the importance of cybersecurity awareness training. Additionally, users might inquire about the effectiveness of email filters and other technological solutions in preventing phishing attacks.
How can businesses protect themselves from ransomware attacks?
Ransomware attacks pose a significant threat to businesses, and FAQs in this category might address topics such as the common entry points for ransomware, the importance of regular data backups, and the role of employee training in recognizing and avoiding potential ransomware threats. Users may also inquire about the steps to take in the event of a ransomware attack and the potential impact on business continuity.
What cybersecurity measures are essential for securing e-commerce platforms and customer data?
With the increasing reliance on e-commerce, businesses must prioritize the security of online transactions and customer information. Frequently asked questions on this topic might cover secure payment gateways, the importance of SSL/TLS encryption for data in transit, strategies for protecting customer login credentials, and compliance with industry standards such as PCI DSS. Users may also seek guidance on addressing emerging threats specific to the e-commerce sector.
How can businesses balance user convenience and cybersecurity in implementing access controls?
Access controls are critical for limiting unauthorized access to sensitive information, but businesses also need to consider user convenience. FAQs in this area might explore topics such as the implementation of role-based access controls, the use of single sign-on solutions, and strategies for ensuring secure yet user-friendly authentication methods. Users may also seek advice on mitigating insider threats through effective access management.

Build resilience, gain compliance, and prevent disruption in your business.

Need to speak with a Regulatory Compliance expert? Let's Talk.