What is a Letter of Representation?
At the end of all SAS 70 audit engagements, the service auditor asks management to take responsibility for the presentation of the description of controls found in Section II of the report. The following is a short excerpt from the letter of representation:
“I recognize that, as management of ABC Company, I am responsible for the fair presentation of the description of the ABC’s controls and for establishing and maintaining appropriate controls related to the processing of transactions for user organizations.
We believe that the description of controls presents fairly, in all material respects, those aspects of the organization’s controls that may be relevant to user organizations’ internal control.
We have responded fully to all inquiries made to us by you during your examination.”
Even if the service auditor assists with the preparation of the description of controls, the service organization still must take responsibility (AICPA SAS 70 Audit Guide 2.17).
The letter also serves to confirm with the service auditor that description is stated fairly, or in other words, inaccuracies or mischaracterizations do not exist.
The letter of representations is a requirement as stated in paragraph 61 of SAS 70 (AICPA AU324.61). Ultimately, this serves to help protect the service auditor, user organizations, and user auditors, from relying on false information contained within the description on controls. Also important is the date of the letter, which should be dated on or after the report date. The reason? The service auditor must be completed with their work before they can opine on the controls.
I have personally witnessed some company executives refuse to sign the letter of representations and even tear it up on the basis that they cannot be responsible for the actions of their employees. Funny and true. In the end, the letter always gets signed, because if management won’t back their controls neither will the service auditor.