It was a few years ago while I was a senior manager at a big four firm that the CTO did not want to sign the letter of representations related to the SAS 70 audit. This was an executive at one of the world’s largest companies, and yes it was/is a public company. After reading the boiler plate letter from the AICPA, he went into a rant and said “[h]ow do I know the controls are working? I can’t say they are working. I have no idea what the people here are doing” He then proceeded to take the letter and draw big “X’s” through the whole letter. I wanted to say “REALLY, you did not just say THAT.” I did say that we were prohibited from releasing the report until we received the signed letter. Needless to say, the CFO eventually made the CTO sign (the CTO had never signed one before) the letter after which the report was released. It took about two extra months to go through this exercise.
So what’s the purpose of my retelling this? Simple, to some greater or lesser extent this sort of thing happens often. Sometimes management or certain members of management do not want to put their credibility on the line although the auditor has too. This is a problem. Among other reasons, the onslaught of audit related litigation that has exploded in the past decade has not helped matter. The AICPA wanted management to stand side-by-side with the auditor when these internal control reports were issued. Moreover, it is only reasonable that management should have to provide a written and signed assertion in the report since the controls relate financial reporting at user organizations. So now the standard has changed and SSAE 16 reports include a written assertion from management and an opinion from the service auditor.