What is an Assertion? How Audit Assertions Relate to SOC Reports

The Oxford dictionary defines an assertion as “a confident and forceful statement of fact or belief.” Making an assertion is often used synonymously with stating an opinion or making a claim.

Company executives are required to make assertions or claims to the public regarding certain aspects of a business. Independent auditors use these representations as the foundation from which they design and perform procedures to test management’s assertions and form an opinion to which they attest to the public. A lot of work is required for an organization to support the assertions that a management team makes. Often controls related to financial reporting extend beyond the immediate company to service organizations supporting its operations.

If you are new to financial accounting or auditing, you probably have a lot of questions. Don’t worry, you are not alone. There are quite a few people asking a lot of questions. The following are some of the most common questions related to assertions out on the web:

• Why are audit assertions important?
• What is the purpose of assertion?
• What does assertion mean in auditing?
• What are audit assertions?
• What is a management assertion?
• How many audit assertions are there?
• What are the five audit assertions?
• What are the seven audit assertions?
• How do you test audit assertions?
• What is an assertion example?

Hopefully, this will help answer the questions you have and help clarify your understanding.
 

 

What are Financial Statement Assertions?

While assertions are made in all aspects of life, in an accounting or business setting, most people think of a company’s financial statements, or the audit of the financial statements, when they think of assertions. This is because the AICPA, the Sarbanes-Oxley Act, and subsequent audit standards issued by the Public Company Accounting Oversight Board (PCAOB) require members of management for publicly traded companies to make implicit or explicit claims and representations regarding the accuracy of their company’s financial statements and the organization’s internal control over financial reporting. These representations are commonly referred to as Audit Assertions, Management Assertions, and Financial Statement Assertions.

Auditors for these companies perform procedures to test the validity of management’s assertions and to provide an independent opinion. While audit procedures do not provide absolute assurance, an audit is designed to provide readers of financial statements with reasonable assurance an entity’s financial statements fairly present its financial position in all material respects.

 

What are the 5 (or 7) Audit Assertions?

Some people say that there are five audit assertions or five management assertions related to financial statements. Some people say there are seven. They are both right. There are five assertions, but the name for two of them vacillates depending on what the assertion is being related to in an audit. The five (or seven) assertions are the following:

• Occurrence or Existence
• Completeness
• Allocation or Valuation
• Rights and Obligations
• Presentation and Disclosure

There are three areas of assertions in financial accounting. Some people may refer to these as audit assertions as they are evaluated during an audit of an entity’s financial statements.  Auditors will employ a wide variety of procedures to test a company’s financial statements with respect to each of these assertions.

The following lists the types of audit assertions in the three areas of a financial audit. One would expect these assertion examples to be addressed in an audit. Each also provides the assertion meaning or definition to help one understand how each is used in an assessment.

 

Assertions for Classes of Transactions:

• Occurrence Assertion – Transactions recognized in the financial statements have occurred and relate to the entity.
• Completeness Assertion – All transactions that were supposed to be recorded have been recognized in the financial statements.
• Accuracy Assertion – Transactions have been recorded accurately at their appropriate amounts.
• Cut-off Assertion – Transactions have been recognized in the correct accounting periods.
• Classification Assertion – Transactions have been classified and presented fairly in the financial statements.

Assertions related to Assets, Liabilities, and Equity Balances at the period end:

• Existence Assertion – Assets, liabilities, and equity balances exist at the period end.
• Completeness Assertion – All assets, liabilities, and equity balances that were supposed to be recorded have been recognized in the financial statements.
• Rights & Obligations Assertion – Entity has the right to ownership or use of the recognized assets, and the liabilities recognized in the financial statements represent the obligations of the entity.
• Valuation Assertion – Assets, liabilities, and equity balances have been valued appropriately.

Assertions related to Presentation and Disclosures:

• Occurrence Assertion – Transactions and events disclosed in the financial statements have occurred and relate to the entity.
• Completeness Assertion – All transactions, balances, events, and other matters that should have been disclosed have been disclosed in the financial statements.
• Classification & Understandability Assertion – Disclosed events, transactions, balances, and other financial matters have been classified appropriately and presented clearly in a manner that promotes the understandability of information contained in the financial statements.

Accuracy & Valuation Assertion – Transactions, events, balances, and other financial matters have been disclosed accurately at their appropriate amounts.

The following is a good explanation of the financial assertions as the pertain to ISA 135.

Management’s Internal Control Assertions

The Sarbanes-Oxley Act (SOX), issued in 2002, added additional responsibility to the management of publicly traded companies. Management of these corporations was now required to assess and assert as to the effectiveness of the organization’s internal controls over financial reporting. Consequently, in addition to assessing the presentation of an organization’s financial statements, auditors must evaluate the internal controls within the processes that could materially impact the financial statements.

SOX also created the Public Company Accounting Oversight Board (PCAOB)—an organization intended to assess the work performed by public accounting firms to independently assess and opine on management’s assertions. The PCAOB’s Auditing Standard number 5 is the current standard over the audit of internal control over financial reporting.

Some may also refer to these assertions as SOX assertions, COSO assertions, or even internal audit assertions as it is management’s assertion related to the effectiveness of their organization’s internal controls. While it is understandable how one might associate these shortened nick-names, the entity’s management and auditor assertions are technically referred to as management’s assessment of the effectiveness of internal control over financial reporting. Management is required to perform its own assessment and assert, along with its assertion related to its financial statements, that their environment has adequate internal controls over financial reporting. The audit firm performing the integrated audit is also required to assess and opine that the entity maintains effective internal control over financial reporting to provide reasonable assurance regarding the reliability of its financial reporting.

 

How Does SOX Impact Service Providers?

While not directly subject to SOX, many non-public companies have been indirectly impacted because they provide services for publicly traded companies. If a publicly-traded company’s auditors (user auditor) determines that the services provided have a material impact on the company’s financial statements, the non-public business may be required by its client to provide assurance that their processes are under control. If the service entity is unable or unwilling to provide evidence of the suitability of the design and operating effectiveness of their internal controls, the user entity may request that their auditors have the opportunity to assess the material processes themselves. A service organization with a number of public clients or user organizations could be inundated with audit requests by user auditors attempting to audit their process to gain comfort on their customers’ assertions over internal controls.

How Can a System and Organization Controls (SOC) Report Help?

A SOC 1 (formerly SSAE 16) audit is designed to provide a user auditor with a basis for identifying and assessing the risks of material misstatement at the financial statement and internal control assertion levels related to the services provided by the service organization.

A SOC 1 report (type 2) includes the following:

• Management’s description of the service organization’s system
• Management’s written assertion
• The service auditor’s report in which the service auditor expresses an opinion on the fairness of the presentation of management’s description of the service organization’s system
• The suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

Type 1 audits cover the same areas; however, the auditor’s opinion only addresses the suitability of the design of controls at a point in time. There is no assurance that controls were operating effectively over a period of time. For additional information, check out our blog on SOC Report Types (1 vs 2).

A service organization can greatly reduce the number of resources expended to meet user auditors’ requests by having a Type II SOC 1 audit performed. The service organization can have the SOC audit performed once and then can simply provide a copy of the report to its clients’ auditors rather than having to respond to individual requests or having multiple process audits performed each year by user auditors.

 

Do I need a SOC 1, 2, or 3 Report?

As there are different types of SOC audits, it can be difficult to keep them straight. How do you know which one is the one you need? Hopefully, this brief summary will be helpful to you:

SOC 1: These reports are intended to help your client’s auditors evaluate the effect of the controls that you perform on your client’s financial statements.

SOC 2: These reports are intended for a broader range of user organizations. A SOC 2 report provides information about your control environment and assurance that it is operating effectively as they relate to the AICPA’s Trust Services Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. So, if you are housing or processing sensitive data for your client, but it does not have a material impact on their financial statements, this is likely the SOC report you’ll need.

SOC 3: These reports, like SOC 2 reports, address the Trust Service Principles. The main difference is that they do not provide the same level of detailed information as a SOC 2 report. However, a benefit is that this type of report may be used in marketing. These are less common. We typically see this as an add-on report made for clients who are also receiving a SOC 2 report.

Click here if you would like more information on SOC reports from the AICPA’s website.

Conclusion

In summation, assertions are claims made by members of management regarding certain aspects of a business. Independent auditors use these representations as the foundation from which they design and perform procedures to test management’s assertions and form an opinion. A lot of work is required for your organization to support the assertions that your management team makes. And lastly, if you are a service organization you should be cognizant of the need to maintain a strong control environment to support your clients.

If you are planning for an upcoming attestation, whether it be a SOC 1 Audit, SOC 2 Audit, HIPAA Audit, or HITRUST Audit, or if you have additional questions about our Audit Process, and would like to retain the services of Linford & Co, please contact us.