This question was asked by an attendee at a recent Proformative SAS 70/SSAE 16 event: Is there any validation of
Is there any validation of management's attestation required as part of the SSAE16 standard SOC 1, SOC 2 or SOC 3 reports?
Answers
The following verbaige comes from the AICPA recently released "Reporting on Controls at a Service Organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2"). May 1, 2011
Consideration of Management’s Assertion
3.104 Management may have provided the service
beginning of the engagement that includes all the relevant aspects that would be
expected. The service auditor may identify deficiencies in the operating
effectiveness of controls that cause the service auditor to qualify the opinion. In this instance, the service auditor would evaluate the reason why management had not identified the deficiencies in the operating effectiveness of the controls and determine whether management should have known these existed and whether management is in a position to be able to provide the assertion or whether additional work needs to be done by management before they provide the final assertion that is attached to the description. In instances in which the service auditor has identified deficiencies that give rise to a qualification in the opinion, management is expected to modify their assertion to note those deficiencies.
3.105 The service auditor may determine that management’s assertion does not provide sufficient detail, fails to disclose deficiencies identified by the service auditor that resulted in a qualified opinion, or contains inaccuracies. In these situations, the service auditor should request that management modify its assertion. For example, when deviations identified in the examination cause the service auditor to qualify the opinion, the service auditor should ask management to amend its assertion to reflect the identified deficiencies. If management refuses to do so, the service auditor takes appropriate action, which may include additional modifications to the service auditor’s report, rendering an adverse opinion, or withdrawing from the engagement.