more-arw search

Q&A Forum

Is there any validation of management's attestation required as part of the SSAE16 standard SOC 1, SOC 2 or SOC 3 reports?

This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Is there any validation of management's attestation required as part of the SSAE16 standard SOC 1, SOC 2 or SOC 3 reports?


Topic Expert
Mark Hurst
Title: Director of BAS
Company: Hein and Associates
(Director of BAS, Hein and Associates) |

The following verbaige comes from the AICPA recently released "Reporting on Controls at a Service Organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2"). May 1, 2011

Consideration of Management’s Assertion
3.104 Management may have provided the service auditor with an assertion at the
beginning of the engagement that includes all the relevant aspects that would be
expected. The service auditor may identify deficiencies in the operating
effectiveness of controls that cause the service auditor to qualify the opinion. In this instance, the service auditor would evaluate the reason why management had not identified the deficiencies in the operating effectiveness of the controls and determine whether management should have known these existed and whether management is in a position to be able to provide the assertion or whether additional work needs to be done by management before they provide the final assertion that is attached to the description. In instances in which the service auditor has identified deficiencies that give rise to a qualification in the opinion, management is expected to modify their assertion to note those deficiencies.
3.105 The service auditor may determine that management’s assertion does not provide sufficient detail, fails to disclose deficiencies identified by the service auditor that resulted in a qualified opinion, or contains inaccuracies. In these situations, the service auditor should request that management modify its assertion. For example, when deviations identified in the examination cause the service auditor to qualify the opinion, the service auditor should ask management to amend its assertion to reflect the identified deficiencies. If management refuses to do so, the service auditor takes appropriate action, which may include additional modifications to the service auditor’s report, rendering an adverse opinion, or withdrawing from the engagement.


Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.