The SOC 1 (SSAE 16/SSAE 18) standard requires management of the service organization to provide a description of its “system” along with a written assertion to the service auditor, both of which require careful attention and preparation by management themselves.

Description of its System

For SOC 1 (SSAE 16/SSAE 18), a service organization’s description of its “system” should be looked upon as the following: The services provided, along with all supporting processes (technology or manual), policies, procedures, personnel, and operational activities that aid and facilitate the daily functioning of the service organization’s core activities that are relevant to user entities.

A service organization’s description of its “system” should encompass these main attributes, but one should expect to see variations in the descriptions of these “systems”, due in large part to the differences that exist amongst service organizations themselves.

For example, a Software as a Service (SaaS) entity describing and documenting its “system” will differ noticeably from that of a Third Party Administrator (TPA) of medical claims describing their “system”. In short, no two service organization “systems” are alike, but entities should strive to include all necessary information when presenting their description of the “system” to the service auditor.  Learn more about 

Thus, the framework for documenting a service organization’s system for purposes of SSAE 16 should include a comprehensive discussion of the following components:

  • The services provided along with the classes of transactions processed.
  • The procedures used, from beginning to end, both automated and manual, for the transactions (i.e., the flow of the transactions and all activities, from initiation to correction of errors, as necessary).
  • How the system captures addresses significant events and conditions along with what processes and procedures are used to prepare and report information as necessary to user entities.
  • The control objectives, related controls and user control considerations
  • The service organizations elements of internal control, which are generally based on the COSO framework consisting of the following: 1. Control Environment. 2. Control Activities. 3. Information and Communication. 4. Risk Assessment. 5. Monitoring

SOC 1 (SSAE 16/SSAE 18) written assertion by management

Management of the service organization must also produce a "written assertion" for purposes of SOC 1 (SSAE 16/SSAE 18) reporting, which is to "assert" that (1). management description of the service organization's "system" is fairly presented, (2). that the controls and related control objectives were suitably designed and (for purposes of SOC 1 (SSAE 16/SSAE 18) Type 2 reporting), were operating effectively.

Any service organization undertaking SOC 1 (SSAE 16/SSAE 18) compliance should seek assistance and guidance from a qualified SOC 1 (SSAE 16/SSAE 18) auditing firm for gaining a comprehensive understanding of the written assertion by management.

Lastly, for purposes of SOC 1 (SSAE 16/SSAE 18) reporting, the actual written statement of assertion according to the SSAE 16/SSAE 18 publications released by the American Institute of Certified Public Accountants (AICPA), states that it may be included in or attached to management's description of the service organization's system. This provides flexibility to the service auditor for purposes of drafting the final SOC 1 (SSAE 16/SSAE 18) report. A number of practitioners have noted that service auditor's performing SOC 1 (SSAE 16/SSAE 18) engagements should also require management of the service organization to produce the actual written statement of assertion on their own letterhead, much like that of a management representation letter.  Want to receive a competitive, fixed-fee for SOC 1 (SSAE 16/SSAE 18) Type 1 and Type 2 compliance? Then please contact us today or call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706 today.