SAS 70 was replaced by a new attestation standard for reporting on service organizations on 15 June 2011.

Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in April 2010.  SSAE 16 effectively replaced SAS 70 as the standard for reporting on service organizations.  SSAE 16 was drafted and issued with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard – ISAE 3402 (see further discussion below). 

You can now order a copy of SSAE No. 16 from the AICPA's online store at - request publication number 023035.  There is also a new AICPA Guide for reporting under the new SSAE 16 standard called "Applying SSAE No. 16, Reporting on Controls at a Service Organization (SOC 1)" that was issued in May 2011.  It is publication number 0127910 and can also be ordered from the AIPCA at

The AICPA also has a web page dedicated to Service Organization Controls (SOC) reporting that you can view at

Reporting under SSAE 16 requires a few changes from reporting under SAS 70.  The changes include management of the service organization must now provide a written assertion regarding the effectiveness of controls, which is now included in the final service auditor's report.  You can read more about SSAE 16 at the SSAE 16 web site

International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting.  ISAE 3402 also became effective on 15 June 2011.

You can download a copy of ISAE 3402 from the IFAC web site here.
If you need further information, contact us.

Comments are closed
Anonymous commented on 21-Jul-2010 02:00 AM
What are differences between SAS 70 (or ISAE N°3402) and the SOX 404 ?
Lori Shirley commented on 08-Sep-2010 07:11 AM
What are the main differences between SAS70 and the SSAE 16. Based on communication I have received SSAE 16 will effectively replace SAS 70 as the standard for reporting. If so, when will this 'officially' take effect?
Edward Berkins commented on 07-Jul-2011 08:53 AM
Lori, SAS 70 is old news, SSAE 16 replaced it on June 15th, 2011.