SOC 1 (SSAE 16/SSAE 18) reports requires management of the service organization to provide the service auditor (i.e., the practitioner performing the SOC 1 (SSAE 16/SSAE 18) engagement) with a written assertion. This "written assertion" forms one of the key differences with previous standards, such as that of the now historical SAS 70 auditing standard, which did not require this to be done.
What's fundamentally important to note about the written assertion is that management must affectively "assert" to a number of clauses, such as the following:
- That management's description of the service organization's "system" fairly presents the service organization's system that was designed and implemented at either a specific date SOC 1 (SSAE 16/SSAE 18 Type 1 report) or implemented throughout a specified time period SOC 1 (SSAE 16/SSAE 18 Type 2 report).
- Additionally, management must "assert" that the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives at either a specific date (Type 1 report) or designed throughout a specified time period (Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
- Management must also discuss the criteria used to effectively making these assertions, which again, are additional statements and supporting references regarding risk factors relating to controls and control objectives and (for a Type 2 report) that the controls were consistently applied.
What's also important to note about the written assertion by management is that it can either be included within the actual description of the service organization's "system" or simply attached to the description of the system itself. Since the written assertion comes from management of the service organization, it should essentially be on letterhead of the actual service organization. Similarly, the ISAE 3402 standard, which is the global standard used for reporting on service organizations, also gives reader two (2) excellent examples of management's assertion, which can be found in the final ISAE 3402 publication (issued December, 2009) on pages 36 and 37.
But, before you can move forward with writing a written assertion by management for SOC 1 (SSAE 16/SSAE 18) compliance, one need's to have a strong understanding of exactly what a description of a service organization's "system" is. And lastly, a qualified and well-skilled service auditor specializing in SOC 1 (SSAE 16/SSAE 18) compliance will be able to provide you with excellent guidance and example documentation regarding management's assertion along with a description of the service organization's system. Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SOC 1 (SSAE 16/SSAE 18) and to receive a competitive, fixed-fee quote today.
NDNB – North America’s Leading Provider of SOC 1 (SSAE 16/SSAE 18) and SOC 2 Audits
NDNB has a true national “footprint” for our services. Additionally, our work is highly regarded, and we are often mentioned as the viable, cost effective alternative to the Big 4 accounting firms. Notable services from NDNB include SOC 1 (SSAE 16/SSAE 18), SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more. To learn more about our SOC 1 (SSAE 16/SSAE 18) and SOC 2 services, along with other compliance solutions, please contact us today, or speak direclty with Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.
