This article addresses the what, when, why, and who’s related to letters of representation for audits, specifically SOC audits.
What is a Letter of Representation?
A letter of representation (a.k.a., representation letter, rep. letter, LOR) in audit services is a form letter from the American Institute of Certified Public Accountants typically prepared by the external auditors in behalf of a company’s management that is signed by a member of executive leadership. By signing the letter of representation, the executive attests to the external auditor that all of the information submitted is accurate, and that all material information has been disclosed to the auditors. For a financial audit, that material would be the financial statements and internal controls over financial reports. In the context of a SOC 1or SOC 2examination, company representation letters allow the management of the company to not only confirm that all material information has been disclosed to the service auditors, but also to take responsibility for the presentation and accuracy of the assertion and description in the report and to confirm that the controls were designed and operating effectively during the period of the assessment.
As you can imagine, a letter of representation is an important piece of evidence in any audit. Management’s representations and attestations in the letter provide some assurance that the information provided during the examination is reliable to use in audit procedures and to base its opinion. Management’s attestation in the representation letters also shifts blame to management in the case that a control failure is missed during an audit or inaccuracies because information was not made available or disclosed to the service auditor.
When is a Letter of Representation Prepared?
As it is a form letter, a letter of representation may be prepared at any point during a SOC 1 or SOC 2 examination. However, paragraph .54 of AT-C section 205 (SSAE 18) specifies that a representation letter must be dated as of the date of the service auditor’s report. The letter may be signed any time from the date of the report and the report is issued. However, because it is an important piece of evidence supporting an audit opinion, the letter of representation should be signed before the report is issued (AICPA’s SOC 1 Guide 4.189).
Why is the Letter of Representation Important?
As noted earlier, the simple answer is that the letter of representation is required by the American Institute of Certified Public Accountants, the governing body for attestation services. If management refuses to provide the requested representations, the service auditor would consider it “a limitation on the scope of the examination sufficient to preclude an unmodified opinion and may be sufficient to cause the practitioner to withdraw from the engagement” (Paragraph .A64 of AT-C section 205). Similar actions would be taken should the service auditor conclude that there is sufficient doubt about the competence, integrity, ethical values, or diligence of those providing the written representations; or the service auditor concludes that the written representations are otherwise not reliable and is unable to resolve the concerns through additional procedures.From a practical standpoint, because management’s written representations are an important consideration when forming the service auditor’s opinion, the service auditor would not ordinarily be able to issue the report until the service auditor had received the representation letter.
Who is Responsible for the Letter of Representation?
The AICPA’s guidance requires, when the engagement covers a modified or extended period, that the auditor obtain management’s written representation in the form of a representation letter addressed to the auditor. The AICPA requires that the service auditor request the written representations from management.
What are the Contents of a Letter of Representation in Auditing?
Paragraph .38 of AT-C section 320 (SSAE 18) states that “the service auditor to request from management written representations required by paragraph .50 of AT-C section 205 as well as those required by paragraph .36 of AT-C section 320.” The auditor and management may add additional representations to the letter. The written representations required by paragraph .50 of AT-C section 205 are identified in items a-i and the written representations required by paragraph .36 of AT-C section 320 in items j-k.
The following summarizes the minimal representations to be included in the letter:
A. Include the management’s assertion about the description, controls, control objectives (SOC 1), and trust services criteria (SOC 2) based on the criteria.
B. A statement that all relevant matters are reflected in the description or evaluation of the related controls or assertion.
C. A statement that all known matters contradicting the control objectives, trust services criteria, or assertion and any communications from regulatory agencies or others affecting the control objectives, trust services criteria, or assertion have been disclosed to the practitioner, including any communications between the end of the period addressed and the written assertion and the date of the service auditor’s report.
D. Acknowledge responsibility for:
- the description in the report and the assertion:
- selecting the applicable criteria; and
- determining that the applicable criteria is appropriate.
E. A statement that any events after to the period (or point in time) related to the description, control objectives, or trust services criteria being reported on, which would have a material effect on the control objectives, trust services criteria, or assertion, have been disclosed to the auditor.
F. A statement that the individual signing and the company have provided the service auditor with all relevant information and access.
G. When applicable, a statement that the individual signing believes the effects of uncorrected misstatements are immaterial, when considered individually and in aggregate, to the control objectives or trust services criteria.
H. When applicable, a statement that significant assumptions used to make any material estimates are reasonable.
I. A statement that the individual signing and the company have disclosed the following to the service auditor:
- Any and all deficiencies in internal control relevant to the engagement of which the responsible party is aware;
- Knowledge of any actual, suspected, or alleged fraud or violation of laws or regulations affecting the control objectives or trust services criteria; and
- Other matters as the service auditor deems appropriate.
J. A statement that any instances of noncompliance with laws and regulations or uncorrected misstatements attributable to the service organization that may affect one or more user entities have been disclosed to the service auditor.
K. A statement that any knowledge of actual, suspected, or alleged fraud by the management or employees of the service organization that could adversely affect the fairness of the presentation of management’s description of the service organization’s system or the completeness or achievement of the control objectives stated in the description have been disclosed to the service auditor.
An audit letter of representation is a form letter prepared by a company’s service auditor and signed by a member of senior management. In the letter, management attests to the accuracy and completeness of the information provided to the service auditors for their analysis. The letter must be dated as of the date of the report and signed on or after that date. The service auditor must obtain a signed representation letter that includes, at a minimum, the required representations specified by the AICPA in order to opine an audit.