What is an Assertion? How Management Assertions Relate to SOC Reports

The Oxford dictionary defines an assertion as “a confident and forceful statement of fact or belief.” Making an assertion is often used synonymously with stating an opinion or making a claim.

Company executives are required to make assertions or claims to the public regarding certain aspects of a business. Independent auditors use these representations as the foundation from which they design and perform procedures to test management’s assertions and form an opinion to which the attest to the public. A lot of work is required for an organization to support the assertions that a management team makes. Often controls related to financial reporting extend beyond the immediate company to service organizations supporting its operations.

What are Financial Statement Assertions?

While assertions are made in all aspects of life, in an accounting or business setting, most people think of a company’s financial statements or the financial statements audit when they think of assertions. This is because the AICPA, the Sarbanes-Oxley Act and subsequent audit standards issued by the Public Company Accounting Oversight Board require members of management for publicly traded companies to make implicit or explicit claims and representations regarding the accuracy of their company’s financial statements and the organization’s internal control over financial reporting. These representations are commonly referred to as Audit Assertions, Management Assertions and Financial Statement Assertions.

Auditors for these companies perform procedures to test the validity of management’s assertions and to provide an independent opinion. While audit procedures do not provide absolute assurance, an audit is designed to provide readers of financial statements with reasonable assurance an entity’s financial statements fairly present its financial position in all material respects.

The following lists the three types of assertions in financial accounting and a brief description of the specific assertions in each area. Auditors will employ a wide variety of procedures to test a company’s financial statements in respect to each of these assertions.

Assertions for Classes of Transactions:

  • Occurrence – Transactions recognized in the financial statements have occurred and relate to the entity.
  • Completeness – All transactions that were supposed to be recorded have been recognized in the financial statements.
  • Accuracy – Transactions have been recorded accurately at their appropriate amounts.
  • Cut-off – Transactions have been recognized in the correct accounting periods.
  • Classification – Transactions have been classified and presented fairly in the financial statements.

Assertions related to Assets, Liabilities and Equity Balances at the period end:

  • Existence – Assets, liabilities and equity balances exist at the period end.
  • Completeness – All assets, liabilities and equity balances that were supposed to be recorded have been recognized in the financial statements.
  • Rights & Obligations – Entity has the right to ownership or use of the recognized assets, and the liabilities recognized in the financial statements represent the obligations of the entity.
  • Valuation – Assets, liabilities and equity balances have been valued appropriately.

Assertions related to Presentation and Disclosures:

  • Occurrence – Transactions and events disclosed in the financial statements have occurred and relate to the entity.
  • Completeness – All transactions, balances, events and other matters that should have been disclosed have been disclosed in the financial statements.
  • Classification & Understandability – Disclosed events, transactions, balances and other financial matters have been classified appropriately and presented clearly in a manner that promotes the understandability of information contained in the financial statements.
  • Accuracy & Valuation – Transactions, events, balances and other financial matters have been disclosed accurately at their appropriate amounts.

The following is a good explanation of the financial assertions as the pertain to ISA 135.

Management’s Internal Control Assertion

The Sarbanes-Oxley Act (SOX), issued in 2002, added additional responsibility to the management of publicly traded companies. Management of these corporations were now required to assess and assert as to the effectiveness of the organization’s internal controls over financial reporting. Consequently, in addition to assessing the presentation of an organization’s financial statements, auditors must evaluate the internal controls within the processes that could materially impact the financial statements.

SOX also created the Public Company Accounting Oversight Board (PCAOB)—an organization intended to assess the work performed by public accounting firms to independently assess and opine on management’s’ assertions. The PCAOB’s Auditing Standard number 5 is the current standard over the audit of internal control over financial reporting.

How Does SOX Impact Service Providers?

While not directly subject to SOX, many nonpublic companies have been indirectly impacted because they provide services for publicly traded companies. If a publicly traded company’s auditors (user auditor) determines that the services provided have a material impact on the company’s financial statements, the non-public business may be required by its client to provide assurance that their processes are under control or the user auditor may request to audit the material processes themselves. A service organization with a number of public clients or user organizations could be inundated with audit requests by user auditors attempting to audit their process to gain comfort on their customers’ assertions over internal controls.

How Can a System and Organization Controls (SOC) Report Help?

 

A SOC 1 (formerly SSAE 16) audit is designed to provide a user auditor with a basis for identifying and assessing the risks of material misstatement at the financial statement and internal control assertion levels related to the services provided by the service organization.

A SOC 1 report (type 2) includes management’s description of the service organization’s system, management’s written assertion and the service auditor’s report in which the service auditor expresses an opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. A SOC 1 type 1 audit covers the same areas; however, the auditor’s opinion only addresses the effectiveness of the design of controls at a point in time.

A service organization can greatly reduce the amount of resources expended to meet user auditors’ requests by having a Type II SOC 1 audit performed. The service organization can have the SOC audit performed once and then can simply provide a copy of the report to its clients’ auditors rather than having to respond to individual requests or having multiple process audits performed each year by user auditors.

Do I need a SOC 1, 2 or 3 Report?

As there are different types of SOC audits, it can be difficult to keep them straight. How do you know which one is the one you need? Hopefully this brief summary will be helpful to you:

SOC 1: These reports are intended to help your client’s auditors evaluate the effect of the controls that you perform on your client’s financial statements.

SOC 2: These reports are intended for a broader range of user organizations. A SOC 2 report provides information about your control environment and assurance that it is operating effectively as they related the AICPA’s Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality and Privacy. So, if you are housing or processing sensitive data for your client, but it does not have a material impact on their financial statements, this is likely the SOC report you’ll need.

SOC 3: These reports, like SOC 2 reports, address the Trust Service Principles. The main difference is that they do not provide the same level of detailed information as a SOC 2 report. However, a benefit is that this type of report may be used in marketing. These are less common. We typically see this as an add on report made for clients who are also receiving a SOC 2 report.

Click here if you would like more information on SOC reports from the AICPA’s website.

Conclusion

In summation, assertions are claims made by members of management regarding certain aspects of a business. Independent auditors use these representations as the foundation from which they design and perform procedures to test management’s assertions and form an opinion. A lot of work is required for your organization to support the assertions that your management team makes. And lastly, if you are a service organization you should be cognizant of the need to maintain a strong control environment to support your clients.

Related Blog Posts:

SSAE 16 Management’s Written Assertion

What is Attestation?

What is the Sarbanes-Oxley Act?

What is a SOC 1 Report?

SSAE-18 Attestation Standards: Clarification and Recodification

 

Leave a Reply

Your email address will not be published. Required fields are marked *