The US and UK attestation standards (SSAE vs. ISAE)

The US and UK attestation standards (SSAE vs. ISAE)


Usually, when you look out to get an independent controls attestation for your organization by a third party service
auditor, you may come across many ways of getting that done. You can either get a SOC 1 or SOC2 audit done (Type
I or Type II) based on your requirements and choose your attestation standards for the report i.e. either ISAE (the
UK standard, No. 3402 being the latest one) or the SSAE (the US standard, No. 18 being the latest). In this article,
we will touch upon both the standards, their managing authorities and the key differences which will help you
understand what exactly they are and identify the best one for yourself.
ISAE stands for International Standards on Attestation Engagements (the UK standard) which is
managed by IAASB (International Auditing & Assurance Standards Board) which in turn reports to IFAC
(International Federation of accountants).

SSAE stands for Statement on Standards of Attestation Engagements (the US standard) and is managed
by AICPA (American Institute of Certified Public Accountants) which reports to FASB (Financial Accounting
Standards Board).
Principally both the standards are designed to achieve the same objective in terms of reporting the establishment
of effectively designed controls over financial reporting and each service organizations may need to provide
reports to their clients (user entities) according to different standards. For the service organizations catering
services within United States, SSAE18 is best suited. While for the ones providing services outside US, reporting
can be done in accordance with the ISAE 3402 standards (termed as a combined report).
Further, there are a few key differences when it comes to performance and reporting style of both the standards.
Below are the major key differences which one should know:
 Investigation of the Intentional Acts
Both the standards require the investigation of any deviations identified during the testing. They direct the
service auditor to investigate the noted deviations that could have been caused by an intentional act of service
organization’s (SO) personnel.
The SSAE 18 directs that the auditor should receive a written representation from SO management detailing any
actual or suspected intentional acts (like employee committing frauds) that could impact the fair presentation of
management’s description of the system. However, the ISAE 3402 does not explicitly require auditors to obtain
the written representations.

 Dealing with Operating Anomalies
Any finding that deviates from the standard is an Operating Anomaly. SSAE 18 treats all deviations in the same
manner, rather than as an anomaly. However, ISAE 3402 contains a requirement that allows a service auditor to
conclude that any identified deviation while testing a sample of the control can be considered an anomaly. The
idea is that when controls are sampled, they are not necessarily representative of the entire population from the
samples drawn.

 Assistance from Internal Audit Team
SSAE 18 enables the use of direct assistance from the service organization’s internal audit function in accordance
with the U.S. audit standards guidance. ISAE 3402 does not allows the use of the internal audit function for
direct assistance.

 Subsequent Events
SSAE 18 calls out that the service auditor should report any event that could be significant in order to prevent
users from being misled. A subsequent event would be something that could change management’s assertion
after the audit period has ended. However, ISAE 3402 restricts the types of subsequent events that would be
disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s
 Statement on Restricting Use of the Service Auditor’s Report
SSAE 18 requires that the auditor’s report should include a statement restricting the use of the report to
management of the service organization, user entities, and user auditors. However, ISAE 3402 requires that the
service auditor’s report include a statement that indicates that the report is intended for the servi ce organization,
user entities & user a

uditors but does not require a statement restricting its use.
 Acceptance of Engagement and Continuation
SSAE 18 directs that management should acknowledge and accept the responsibility of providing the service
auditor with written representations at the conclusion of the engagement. However, ISAE 3402 does not
requires this acknowledgment.
 Disclaimer of Opinion
If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires
that the auditor deny an opinion after discussing the concern with management. If this happens, the auditor can
carry out the required action.
SSAE 18 requires that the service auditor takes an action or withdraws from the engagement. The SSAE 18 also
contains certain incremental requirements for a situation where auditor plans to deny any opinion.
 Elements of the Section 801 Report That Are Not Required in the ISAE 3402

Learn More to visit on Taxation 

SSAE 18 contains certain requirements that are additional to those in ISAE 3402. These requirements are as
o The identification of any information included in the documentation that is not covered by the service
auditor’s report.
o A reference to management’s assertion, and a statement that management is responsible for identifying
any of the risks that threaten the fulfillment of the control objectives.
o A statement that the examination included assessing the risks that management’s description of the service
organization’s system is not fairly presented and that the controls were not suitably designed or operating
effectively to achieve the related control objectives.
o A statement that an examination engagement of this type also includes evaluating the overall presentation
of management’s description of the service organization’s system and suitability of the control objectives
stated in the description.
We believe, that the article what have enhance your understanding of the two standards and their key differences.
Please reach out us if you still have any queries or for any further information.

2 thoughts on “The US and UK attestation standards (SSAE vs. ISAE)”

Leave a Reply

Your email address will not be published. Required fields are marked *