As you prepare for your next Service Organization Control (SOC) 1 audit—whether it is your first audit or one of many your organization has performed—you must provide a written assertion to the auditor.
A written assertion for a SOC 1 report represents one of the fundamental differences from previous standards, including the now long-defunct SAS 70 auditing standard, which actually had no written assertion requirement.
What Is a Written Assertion?
An organization will be asked to provide management’s written assertion to their auditor at the start of the SOC auditing process. Because it is a written claim by an organization describing their systems and what their services are expected to accomplish for the organizations with which they do business, this assertion serves as the foundation for the audit. It informs auditors how an organization’s system is set up and how it’s supposed to operate. For an auditor to perform a SOC 1 audit, the organization must acknowledge and accept the responsibility of developing a written assertion.
An assertion, according to the AICPA, is any statement or set of declarations as to whether the subject matter is in full compliance with the criteria. The AICPA also specifies three purposes for management’s written assertion:
- Determines whether the service organization’s system description is presented according to the criteria.
- Determines whether the controls specified in the description were properly designed.
- Addresses whether the controls were functioning properly during a Type II engagement.
Why is the Written Assertion Important to the SOC 1 Reporting?
The American Institute of Certified Public Accountants (AICPA) developed the written assertion because the body wanted management for the service organization to stand side-by-side with the auditor when reporting on internal controls for a service organization.
Additionally, the written assertion is so vital to the audit because it simply makes sense that the IT manager or other service organization leader provide a written and signed assertion in the report since the service controls relate to crucial financial reporting considerations at user organizations.
With the written assertion available to the auditor, he or she will have a more global perspective of the internal controls at the service organization, thanks to the insights and cooperation of the service organization manager. Such cooperative measures make it easier for the auditor to ultimately provide an objectively favorable report and unqualified opinion.
3 Key Clauses Needed in a SOC 1 Written Assertion
Since you need to provide a written assertion to your selected certified accounting firm to launch your next SOC 1 audit, for your client, it may help to know three of the most important things you need to include.
The simplest definition of a written assertion is that it describes the service organization’s system to help the auditor perform the upcoming audit with certain reasonable assumptions in mind. Additionally, there are three primary clauses that can help you understand the in-depth details and requirements of the written assertion:
- The description of the service organization’s “system” must fairly present the system, which was designed and implemented at either a specific date when performing a SOC 1 Type I audit, or throughout a specified period of time when performing a SOC 1 Type II audit, using the SSAE 18 as the professional standard.
- The drafting manager must “assert” that the control objectives stated in his or her description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date when performing a SOC 1 Type I audit, or over a period of specified time when doing a SOC 1 Type II audit.
- The service organization manager must also discuss the criteria used to effectively make his or her written assertions. These assertions are additional statements and supporting sources regarding risk factors that may relate to controls and control objectives for a Type II report, ensuring that controls were consistently applied over the specified time frame.
While not an official clause, it is also important to note that the written assertion by the service organization manager may be submitted in two different ways:
- Included within the actual description of the service organization’s “system,” as an interwoven portion of the document.
- Simply attached to the description of the system as a separate document.
Remember that the written assertion is an official document and that it should be printed on the letterhead of the actual service organization.
Confirmation of the SOC 1 Written Statement
An auditor will review an organization’s internal controls throughout the SOC 1 or SOC 2 audit process, culminating in a final audit report in which the auditor’s judgment is based on whether or not the assertion was presented fairly. This signifies that if an organization submits its assertion to its auditor, it must be as accurate and reliable. For example, if your organization makes a claim that your employees are properly trained on cybersecurity best practices, you must be able to demonstrate to an auditor that this training takes place so that the auditor can validate the claim.
Get Support While Preparing for Your SOC 1 Examination
Are you confident that the service organization manager can provide a strong written assertion to support the service organization’s internal controls for an upcoming SOC 1 audit? If you are still foggy about what the written assertion letter needs to include or how to best lay it all out, our SOC 1 auditing team at I.S. Partners, LLC. can help clear everything up for you and the service organization manager.
Our SOC 1 professionals will gladly step in to help if you need a certified public accountant to take on your next audit.