The SSAE 16 standard requires management of the service organization to provide the service auditor (i.e., the practitioner performing the SSAE 16 engagement) with a written assertion. This "written assertion" forms one of the key differences with previous standards, such as that of SAS 70, which did not require this to be done.
What's fundamentally important to note about the written assertion is that management must affectively "assert" to a number of clauses, such as the following:
- That management's description of the service organization's "system" fairly presents the service organization's system that was designed and implemented at either a specific date (SSAE Type 1 report) or implemented throughout a specified time period (SSAE 16 Type 2 report).
- Additionally, management must "assert" that the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives at either a specific date (SSAE 16 Type 1 report) or designed throughout a specified time period (SSAE 16 Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
- Management must also discuss the criteria used to effectively making these assertions, which again, are additional statements and supporting references regarding risk factors relating to controls and control objectives and (for a SSAE 16 Type 2 report) that the controls were consistently applied.
What's also important to note about the written assertion by management is that it can either be included within the actual description of the service organization's "system" or simply attached to the description of the system itself. Since the written assertion comes from management of the service organization, it should essentially be on letterhead of the actual service organization. Similarly, the ISAE 3402 standard, which is the global standard used for reporting on service organizations, also gives reader two (2) excellent examples of management's assertion, which can be found in the final ISAE 3402 publication (issued December, 2009) on pages 36 and 37.
But, before you can move forward with writing a written assertion by management for SSAE 16, one need's to have a strong understanding of exactly what a description of a service organization's "system" is.
And lastly, a qualified and well-skilled service auditor specializing in SSAE 16 will be able to provide you with excellent guidance and example documentation regarding management's assertion along with a description of the service organization's system.
Call Christopher G. Nickell, CPA, at 1-800-277-5415, ext. 706, to learn more about SSAE 16 and to receive a competitive, fixed-fee quote today. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.