The standards ISAE 3402 and SSAE 16 require that management of the service organisation provides a written assertion attesting to the fair presentation and design of controls (in a Type 1 report) or the fair presentation, design, and operating effectiveness of controls (in a Type 2 report). This written assertion is separate from the written representations obtained from management.
Under these standards, engagements are considered `assertion-based´: management is required to provide a written assertion, even though the auditor will continue to report on the subject matter (i.e. whether controls are fairly presented, suitably designed, and [in a Type 2 report] operating effectively).
In order to provide a written assertion, management will need to have a reasonable basis for making the assertion, which may include developing their own processes to support the assertion if such processes are not already in place. ISAE 3402 and SSAE 16 provide specific requirements that management must meet in order to provide a written assertion.
For instance, management is required to:
Therefore, management is not able to rely solely on the testing performed by the service auditor to provide their assertion.
If the service organisation relies on controls at a subservice organisation and management elects to use the inclusive method (that is, management’s description of the service organisation’s system includes controls at the subservice organisation), management will also need to determine whether controls at the subservice organisation are suitably designed or suitably designed and operating effectively, depending on whether they are executing a Type 1 or Type 2 report.
In order to make this determination and to support their own assertion, management of the service organisation would need to obtain a written assertion from management of the subservice organisation. If the management of a service organisation does not provide an assertion, the service auditor will not be able to accept the engagement.
Management written assertion: example activities
|Example procedures||Service auditor performs testing and issues report||- Management reporting and other oversight activities
- Management risk assessment
|- Internal audit testing/monitoring
- Independent regulatory examination
- Independent risk assessment
|Management or independent assessment of operating effectiveness of controls|
|Supporting documentation||None||- Management monitoring documentation
- Management risk assessment documentation
|- Internal audit reporting
- Regulatory reporting
- Independent risk assessment results
|Testing evidence for the operating effectiveness of controls|
A combination of ongoing monitoring and separate evaluations will usually help ensure that internal control maintains its effectiveness over time.