The US and UK attestation standards (SSAE vs. ISAE)
Usually, when you look out to get an independent controls attestation for your organization by a third-party service auditor, you may come across many ways of getting that done. You can either get a SOC 1 or SOC2 audit done (Type I or Type II) based on your requirements and choose your attestation standards for the report i.e. either ISAE (the UK standard, No. 3402 being the latest one) or the SSAE (the US standard, No. 18 being the latest). In this article, we will touch upon both the standards, their managing authorities, and the key differences which will help you
understand what exactly they are and identify the best one for yourself.
SSAE stands for Statement on Standards of Attestation Engagements (the US standard) and is managed by AICPA (American Institute of Certified Public Accountants) which reports to FASB (Financial Accounting Standards Board). Principally both standards are designed to achieve the same objective in terms of reporting the establishment of effectively designed controls over financial reporting and each service organization may need to provide reports to their clients (user entities) according to different standards. For service organizations catering services within the United States, SSAE18 is best suited. While for the ones providing services outside the US, reporting can be done by the ISAE 3402 standards (termed as a combined report). Further, there are a few key differences when it comes to the performance and reporting style of both standards.
Below are the major key differences that one should know:
Investigation of the Intentional Acts Both standards require the investigation of any deviations identified during the testing. They direct the service auditor to investigate the noted deviations that could have been caused by an intentional act of the service organization’s (SO) personnel. The SSAE 18 directs that the auditor should receive a written representation from SO management detailing any actual or suspected intentional acts (like employees committing fraud) that could impact the fair presentation of management’s description of the system. However, ISAE 3402 does not explicitly require auditors to obtain written representations.
Dealing with Operating Anomalies Any finding that deviates from the standard is an Operating Anomaly. SSAE 18 treats all deviations in the same manner, rather than as an anomaly. However, ISAE 3402 contains a requirement that allows a service auditor to conclude that any identified deviation while testing a sample of the control can be considered an anomaly. The idea is that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn.
Assistance from Internal Audit Team
SSAE 18 enables the use of direct assistance from the service organization’s internal audit function by the U.S. audit standards guidance. ISAE 3402 does not allow the use of the internal audit function for
Subsequent Events SSAE 18 calls out that the service auditor should report any event that could be significant to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended. However, ISAE 3402 restricts the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report.
SSAE 18 requires that the auditor’s report should include a statement restricting the use of the report to management of the service organization, user entities, and user auditors. However, ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities & user auditors but does not require a statement restricting its use.
Acceptance of Engagement and Continuation SSAE 18 directs that management should acknowledge and accept the responsibility of providing the service. However, ISAE 3402 does not require this acknowledgment.
Disclaimer of Opinion If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor deny an opinion after discussing the concern with management. If this happens, the auditor can carry out the required action. The SSAE 18 also contains certain incremental requirements for a situation where the auditor plans to deny any opinion.
These requirements are as follows:
1- The identification of any information included in the documentation that is not covered by the service auditor’s report.
2- A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the fulfillment of the control objectives.
3- A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed.
4- A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and the suitability of the control objectives stated in the description.
We believe, that the article what has enhanced your understanding of the two standards and their key differences. Please reach out to us if you still have any queries or for any further information.