SOC 1 (SSAE 16/SSAE 18) reports requires management of the service organization to provide the service auditor (i.e., the practitioner performing the SOC 1 (SSAE 16/SSAE 18) engagement) with a written assertion. This "written assertion" forms one of the key differences with previous standards, such as that of the now historical SAS 70 auditing standard, which did not require this to be done.
What's fundamentally important to note about the written assertion is that management must affectively "assert" to a number of clauses, such as the following:
- That management's description of the service organization's "system" fairly presents the service organization's system that was designed and implemented at either a specific date SOC 1 (SSAE 16/SSAE 18 Type 1 report) or implemented throughout a specified time period SOC 1 (SSAE 16/SSAE 18 Type 2 report).
- Additionally, management must "assert" that the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives at either a specific date (Type 1 report) or designed throughout a specified time period (Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
- Management must also discuss the criteria used to effectively making these assertions, which again, are additional statements and supporting references regarding risk factors relating to controls and control objectives and (for a Type 2 report) that the controls were consistently applied.
What's also important to note about the written assertion by management is that it can either be included within the actual description of the service organization's "system" or simply attached to the description of the system itself. Since the written assertion comes from management of the service organization, it should essentially be on letterhead of the actual service organization. Similarly, the ISAE 3402 standard, which is the global standard used for reporting on service organizations, also gives reader two (2) excellent examples of management's assertion, which can be found in the final ISAE 3402 publication (issued December, 2009) on pages 36 and 37.
But, before you can move forward with writing a written assertion by management for SOC 1 (SSAE 16/SSAE 18) compliance, one need's to have a strong understanding of exactly what a description of a service organization's "system" is. And lastly, a qualified and well-skilled service auditor specializing in SOC 1 (SSAE 16/SSAE 18) compliance will be able to provide you with excellent guidance and example documentation regarding management's assertion along with a description of the service organization's system. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SOC 1 (SSAE 16/SSAE 18) and to receive a competitive, fixed-fee quote today.
NDNB – North America’s Leading Provider of SOC 1 (SSAE 16/SSAE 18) and SOC 2 Audits