What is Management’s Written Assertion?
At the beginning stages of the SOC 1 or SOC 2 audit process, an organization will be asked to provide management’s written assertion to their auditor. This assertion lays the foundation for the audit because it is a written claim by an organization describing their systems and what it is their services are expected to accomplish for the organizations they do business with. It tells auditors how an organization’s system is designed and how it’s supposed to operate. For an auditor to be able to perform a SOC 1 or SOC 2 audit, the organization must acknowledge and accept the responsibility of providing management’s written assertion.
The AICPA defines an assertion as any declaration or set of declarations about whether the subject matter is in accordance with, or based on, the criteria. The AICPA also lays out three functions of management’s written assertion:
- Addresses whether the description of the service organization’s system is presented in accordance with the description criteria
- Addresses whether the controls stated in the description were suitably designed
- Addresses whether the controls, during a Type II engagement, were operating effectively
Testing an Assertion
Throughout the SOC 1 or SOC 2 audit process, an auditor will review an organization’s internal controls, culminating in a final audit report wherein the auditor’s opinion is based on whether or not the assertion was fairly presented. This means that when an organization provides their assertion to their auditor, it needs to be as accurate as possible. For example, if your organization provides an assertion that states your employees are regularly trained and tested on cybersecurity best practices, you need to be able to show an auditor that this training does occur so that the auditor can validate that this claim is accurate.
One of the things that management has to provide to their auditor is an assertion. The assertion is a written document that provides a description of the system and what it is that the service is expected to accomplish for the user organization. The assertion is a detailed description of how the system is designed and how it’s supposed to operate. This assertion has to be received by the auditor and our opinion is based on whether or not the assertion is fairly presented.