SAS 70 vs SSAE 16
Both SAS 70 and SSAE 16 were developed by the AICPA or the American Institute of Certified Public Accountants for auditors who do the auditing process for the service companies. The auditor is usually an external or third-party entity in the process.
In essence, SAS 70 and SSAE 16 are written guidelines and an audit process in one. The guidelines are written instructions for auditing the company’s financial info. and reporting the company’s process of transaction for the benefit of the company and its clients.
An auditing is usually commissioned by the service organization or the company or its user organization (its clients once or twice a year) . It usually tries to pinpoint the level of compliance of the company and is considered today as an essential requirement in any service company. An SAS 70 or SSAE 16 can be used in outsourcing services, critical process secure internal controls, and data security. It can be used as an evaluation of the company itself or a great marketing tool to attract potential clients. However, the similarities end there.
SAS 70, which strands for Statements for Auditing Standards, has been the formal standards of service auditing from the early 90’s to June 15, 2011. It has been replaced by the SSAE 16, which is the acronym for Statements for Standard in Attestation Engagements, the new standard that came into effect on
June 15, 2011, and onwards.
The main differences lie in the contents of both standards. When speaking of form, SAS is an audit standard while SSAE is an attestation standard. In previous SAS, the management provides written representation in the form of a management representation letter before the report, though the letter is not included in the report while the written assertion in the SSAE is included in the report of the auditor.
In the case of suitable criteria, it is not included in the SAS report as well as the management assertion while the SSAE includes it as a tool of management as a basis for their written assertion. The suitable criteria are also a determining factor whether the assessment should be classified as a Type I or Type II report.
Both SAS 70 and SSAE 16 include the Type I and Type II reports. Both standards have the Type I report opinion written as of a date in time. In the SAS 70, the Type II report is also written in this manner. In contrast, the SSAE 16‘s Type II report should be written over the entire review period.
Evidence from prior engagements is usually used in the former standard, but the new standard requires no usage of this. Also, the service auditor is not required to disclose if the said auditor used the internal audit’s work. This was overturned in the new standard. There is also no requirement to obtain representation while the SSAE standard requires the material to provide assertions.
Lastly, the previous SAS reports cannot be used by the service organization’s management, its customers, and the customers’ financial statement auditors while the resent SSAE report is modified to the same audience. The service organization and the customers’ financial statement auditors still have the same restriction, but customers are restricted to use the report-on-report date (in the case of a Type I) or during the review period (when referring to the Type II).
1.The SAS is the former standard of service auditing that expired on June 15, 2011, while the SSAE is the replacement standard from June 15, 2011, and onwards.
2.An SAS is an audit standard while an SSAE is an attestation standard.
3.A management representation letter is often provided by the company prior to the report, but it is not included in the report per se while the new standard requires that the written attestation should be included.
4.Suitable criteria are not included in an SAS report, but it is a strict requirement for the SSAE standard since it is the basis of the company’s written assertion.
5.A Type II report in the SAS standard is written as date of a date in time while the Type II in SSAE standards is written over the entire review period.