What has changed from SAS 70 to SSAE 16

  • Management Assertion: Now the Management of the Service Organization has to provide a written, documented assertion on the controls. Such assertion is also required from Sub-Service Organization in case on inclusion in the Report.
  • System description: Management is also responsible for providing its description of the service organization’s system (“the system”) rather than just controls.
  • Risk Identification: Identify the risks that threaten the achievement of the control objectives (although these risks are not included in the service organization report).
  • Subservice organizations: Now the parent Service Organizations can include the service provided by its Sub-Service Organizations under the Inclusive or Carve-Out Methods.
  • Use of internal audit reports: SSAE 16 also permits the service auditor to use the work of an internal audit function by describing the work done (by internal audit function) and the procedures used to test that work.