SAS 70 and SSAE 16 are both professional auditing standards that organizations can use to assess the internal controls of their business. However, there are some key differences between the two that organizations should be aware of before deciding which standard is right for them. In this blog post, we will outline the main differences between SAS 70 and SSAE 16 and help you decide which standard is best suited for your organization.
What is SAS 70?
SAS 70 is a set of auditing standards developed by the American Institute of Certified Public Accountants (AICPA). SAS 70 audits are performed by CPAs to assess the internal controls of service organizations. The SAS 70 audit report is used by service organizations to provide assurance to their customers that their internal controls are adequate. SAS 70 audits are typically performed on service organizations that provide outsourced services, such as data center operators, managed service providers, and cloud computing providers.
What is SSAE 16?
SSAE 16 is a set of standards that govern how service organizations conduct themselves. SSAE 16 was created by the American Institute of Certified Public Accountants (AICPA) in order to provide greater clarity and consistency in the reporting of service organizations. The SSAE 16 standards are divided into two main sections: Control Objectives and Control Activities. The Control Objectives section outlines the specific goals that a service organization must achieve in order to be in compliance with SSAE 16. The Control Activities section details the specific activities that a service organization must perform in order to achieve the control objectives. SSAE 16 compliance is not mandatory, but many service organizations choose to undergo the SSAE 16 examination in order to demonstrate their commitment to operational excellence.
Difference between SAS 70 and SSAE 16
- SAS 70 and SSAE 16 are two different types of reports that measure a company’s internal controls. SAS 70 is an attestation standard developed by the American Institute of Certified Public Accountants (AICPA), while SSAE 16 is an auditing standard developed by the Auditing Standards Board (ASB) of the AICPA. The key difference between SAS 70 and SSAE 16 is that SAS 70 only covers financial reporting, while SSAE 16 also includes operational and compliance information. SAS 70 reports are typically used by service organizations, while SSAE 16 reports can be used by any type of organization.
- SAS 70 was introduced in 1992 and was originally known as Statement on Auditing Standards No. 70 (SAS 70). The purpose of SAS 70 is to provide guidance on how to assess the adequacy of an organization’s internal controls. SAS 70 reports are prepared by independent auditors who evaluate a company’s controls over financial reporting. SAS 70 reports are generally used by service organizations, such as those that provide outsourcing, managed services, or cloud computing services. The major advantage of SAS 70 reports is that they help service organizations assure their customers that their internal controls are adequate.
- SSAE 16 was introduced in 2004 and superseded SAS 70 as the attestation standard for measuring internal controls. SSAE 16 was developed jointly by the ASB and the International Auditing and Assurance Standards Board (IAASB). Unlike SAS 70, which only covers financial reporting, SSAE 16 also includes operational and compliance information. This makes SSAE 16 reports more comprehensive than SAS 70 reports. However, not all organizations need such comprehensive reports. For example, small businesses or organizations with simple operations may find SAS 70 sufficient for their needs. In general, SAS 70 reports are more commonly used than SSAE 16 reports because they are less expensive to prepare and can be tailored to meet specific needs.
Conclusion
The main difference between SAS 70 and SSAE 16 is that the latter is an updated standard. SSAE 16 was introduced in 2010 as a revision of SAS 70, which was published in 1992. The goal of SSAE 16 was to provide more clarity around service organization controls (SOC) reporting. As a result of the updated standard, organizations now have two options for SOC reporting: compliance with either SAS 70 or SSAE 16. So what does this mean for businesses? If you are currently using SAS 70 reports, it’s important to assess whether or not your auditors will accept these reports going forward. In many cases, auditors will only accept SSAE 16 reports. If you decide to switch to SSAE 16 reporting, make sure you work with an experienced professional who can help you through the transition process.