The SSAE 16 management assertion is a requirement whereby management of the service organization provides the practitioner (i.e., the CPA performing the actual SSAE 16 engagement) with a written assertion that essentially "asserts" to a number of clauses and provisions for purposes of SSAE 16 compliance. And it's also important to note that this written assertion is identified by any number of similarly related phrases, such as the following:
• Management assertion
• Written statement of assertion
• Service organization assertion
• Assertion by management
• and other similar phrases
Specifically, the SSAE 16 management assertion requires the following:
• That management's description of the service organization's "system" fairly presents the service organization's system that was designed and implemented at either a specific date (SSAE 16 Type 1 report) or implemented throughout a specified time period (SSAE 16 Type 2 report).
• Management is to "assert" that the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives at either a specific date (SSAE 16 Type 1 report) or designed throughout a specified time period (SSAE 16 Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
• Management is to also discuss the criteria used to effectively making these assertions, which again, are additional statements and supporting references regarding risk factors relating to controls and control objectives and (for a SSAE 16 Type 2 report) that the controls were consistently applied.
As you can see, the description of the "system" is a critical component of the SSAE 16 management assertion, thus service organizations should have a strong technical understanding of what a description of the "system" actually is, what's included in it, etc. A competent, well-qualified CPA firm should provide ample resources in helping you draft a comprehensive, detailed and relevant description of a "system".
The SSAE 16 management is without question a critically important component to understand, but service organizations should also take time to learn about other relevant and notable SSAE 16 issues, such as the following:
• Subservice Organization Reporting.
• The internal audit function.
• ICFR concept.
• Service Organization Control (SOC) framework.
• SOC 1 vs. SOC 2.
Is your organization seeking to become SSAE 16 Type 1 or Type 2 compliant? If so, contact NDNB today for a competitive, fixed fee for all SOC 1, SOC 2 and SOC 3 reporting options. Contact Christopher G. Nickell, at 1-800-277-5415, ext. 706 or email him directly at This email address is being protected from spambots. You need JavaScript enabled to view it..
