How Did the Written Assertion Develop and Why Is It Important in SOC 1 Reporting?
As you prepare for your next Service Organization Control (SOC) 1 audit—whether it is your first audit or one of many your organization has performed—you must provide a written assertion to the auditor.
A written assertion for a SOC 1 report represents one of the fundamental differences from previous standards, including the now long-defunct SAS 70 auditing standard, which actually had no written assertion requirement.
As of the update known as the Statement on Standards for Attestations Engagements 16 (SSAE 16), which was once again updated as SSAE 18 on May 1, 2017, written assertions became standard protocol in SOC 1 reports.
The American Institute of Certified Public Accountants (AICPA) developed the written assertion because the body wanted management for the service organization to stand side-by-side with the auditor when reporting on internal controls for a service organization.
Additionally, the written assertion is so vital to the audit because it simply makes sense that the IT manager or other service organization leader provide a written and signed assertion in the report since the service controls relate to crucial financial reporting considerations at user organizations.
With the written assertion available to the auditor, he or she will have a more global perspective of the internal controls at the service organization, thanks to the insights and cooperation of the service organization manager. Such cooperative measures make it easier for the auditor to ultimately provide an objectively favorable report and unqualified opinion.
Be Sure to Include the Following 3 Clauses in A Written Assertion for SOC 1
Since you need to provide a written assertion to your selected certified accounting firm to launch your next SOC 1 audit, for your client, it may help to know three of the most important things you need to include.
The simplest definition of a written assertion is that it describes the service organization’s system to help the auditor perform the upcoming audit with certain reasonable assumptions in mind. Additionally, there are three primary clauses that can help you understand the in-depth details and requirements of the written assertion:
- The description of the service organization’s “system” must fairly present the system, which was designed and implemented at either a specific date when performing a SOC 1 Type I audit, or throughout a specified period of time when performing a SOC 1 Type II audit, using the SSAE 18 as the professional standard.
- The drafting manager must “assert” that the control objectives stated in his or her description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date when performing a SOC 1 Type I audit, or over a period of specified time when doing a SOC 1 Type II audit.
- The service organization manager must also discuss the criteria used to effectively make his or her written assertions. These assertions are additional statements and supporting sources regarding risk factors that may relate to controls and control objectives for a Type II report, ensuring that controls were consistently applied over the specified time frame.
While not an official clause, it is also important to note that the written assertion by the service organization manager may be submitted in two different ways:
- Included within the actual description of the service organization’s “system,” as an interwoven portion of the document.
- Simply attached to the description of the system as a separate document.
Remember that the written assertion is an official document and that it should be printed on the letterhead of the actual service organization.
HOW CONFIDENT DO YOU FEEL ABOUT THE WRITTEN ASSERTION FOR YOUR UPCOMING SOC 1 AUDIT?
Are you confident that the service organization manager can provide a strong written assertion to support the service organization’s internal controls for an upcoming SOC 1 audit? If you are still foggy about what the written assertion letter needs to include or how to best lay it all out, our SOC 1 auditing team at I.S. Partners, LLC. can help clear everything up for you and the service organization manager.
If you simply need an auditor to perform your upcoming SOC 1 audit, we can certainly answer any questions for you. And our SOC 1 professionals will gladly step in to help if you need a certified public accountant to take on your next audit.