written assertion soc1
Bernard Gallagher
Listen to: "Prepare A Complete and Effective Written Assertion for Your Upcoming SOC 1 Audit"

How Did the Written Assertion Develop and Why Is It Important in SOC 1 Reporting?

As you prepare for your next Service Organization Control (SOC) 1 audit—whether it is your first audit or one of many your organization has performed—you must provide a written assertion to the auditor.

A written assertion for a SOC 1 report represents one of the fundamental differences from previous standards, including the now long-defunct SAS 70 auditing standard, which actually had no written assertion requirement.

As of the update known as the Statement on Standards for Attestations Engagements 16 (SSAE 16), which was once again updated as SSAE 18 on May 1, 2017, written assertions became standard protocol in SOC 1 reports.

The American Institute of Certified Public Accountants (AICPA) developed the written assertion because the body wanted management for the service organization to stand side-by-side with the auditor when reporting on internal controls for a service organization.

Additionally, the written assertion is so vital to the audit because it simply makes sense that the IT manager or other service organization leader provide a written and signed assertion in the report since the service controls relate to crucial financial reporting considerations at user organizations.

With the written assertion available to the auditor, he or she will have a more global perspective of the internal controls at the service organization, thanks to the insights and cooperation of the service organization manager. Such cooperative measures make it easier for the auditor to ultimately provide an objectively favorable report and unqualified opinion.

Be Sure to Include the Following 3 Clauses in A Written Assertion for SOC 1

Since you need to provide a written assertion to your selected certified accounting firm to launch your next SOC 1 audit, for your client, it may help to know three of the most important things you need to include.

The simplest definition of a written assertion is that it describes the service organization’s system to help the auditor perform the upcoming audit with certain reasonable assumptions in mind. Additionally, there are three primary clauses that can help you understand the in-depth details and requirements of the written assertion:

  1. The description of the service organization’s “system” must fairly present the system, which was designed and implemented at either a specific date when performing a SOC 1 Type I audit, or throughout a specified period of time when performing a SOC 1 Type II audit, using the SSAE 18 as the professional standard.
  2. The drafting manager must “assert” that the control objectives stated in his or her description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date when performing a SOC 1 Type I audit, or over a period of specified time when doing a SOC 1 Type II audit.
  3. The service organization manager must also discuss the criteria used to effectively make his or her written assertions. These assertions are additional statements and supporting sources regarding risk factors that may relate to controls and control objectives for a Type II report, ensuring that controls were consistently applied over the specified time frame.

While not an official clause, it is also important to note that the written assertion by the service organization manager may be submitted in two different ways:

  • Included within the actual description of the service organization’s “system,” as an interwoven portion of the document.
  • Simply attached to the description of the system as a separate document.

Remember that the written assertion is an official document and that it should be printed on the letterhead of the actual service organization.


Are you confident that the service organization manager can provide a strong written assertion to support the service organization’s internal controls for an upcoming SOC 1 audit? If you are still foggy about what the written assertion letter needs to include or how to best lay it all out, our SOC 1 auditing team at I.S. Partners, LLC. can help clear everything up for you and the service organization manager.

If you simply need an auditor to perform your upcoming SOC 1 audit, we can certainly answer any questions for you. And our SOC 1 professionals will gladly step in to help if you need a certified public accountant to take on your next audit.

Call us at 215-675-1400, request a quote, or launch a live chat to learn more about SOC 1 audits!

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal