SOC 2 Management Assertion: What to Write and How

What Is the Management Assertion?

The management assertion is a formal written statement by the service organisation's management that is included in the SOC 2 report (typically as Section II). It is management's representation to the auditor and to report recipients about the system description and control effectiveness.

Think of it as the flip side of the auditor's opinion: the auditor opines on whether the management assertion is fairly stated and whether the controls described meet the criteria. Management asserts that the description is accurate and that controls operated as described.

Required Content

The management assertion must: (1) Identify the SOC 2 report and the service organisation. (2) Assert that the accompanying description of the system (Section III) fairly presents the system. (3) Assert that the system description includes all relevant information that might affect report users' understanding of the system. (4) For Type II: assert that the controls stated in Section IV were suitably designed and operated effectively throughout the observation period.

The assertion should reference the specific Trust Services Criteria included in scope and the observation period dates (for Type II). Your auditor will provide a template that covers these required elements.

Type I vs Type II Assertion Differences

Type I assertion: management asserts that (1) the system description is fairly presented as of the as-of date, and (2) the controls described are suitably designed to provide reasonable assurance that the applicable criteria would be met if the controls operated effectively.

Type II assertion: management asserts everything in the Type I assertion plus (3) the controls described operated effectively throughout the observation period [start date] to [end date].

The Type II assertion is a stronger claim — management is asserting continuous effective operation over a period, which is why the observation period evidence must be comprehensive.

Drafting the Assertion

Your auditor provides a standard assertion template. Customise it with: your company's legal name, the specific services covered by the report, the Trust Services Criteria in scope (e.g. "Security and Availability criteria"), and for Type II, the observation period start and end dates.

Review the assertion carefully for accuracy. The assertion states that the system description fairly presents the system — if your Section III contains inaccuracies, the assertion becomes inaccurate. Review the system description alongside the assertion draft.

Special considerations: if you had significant incidents during the observation period, notable exceptions in controls, or significant system changes, your assertion may need to acknowledge these. Your auditor will advise on the appropriate approach.

Who Signs and What They Are Asserting

The management assertion must be signed by a senior executive — typically the CEO, CTO, or CFO. The signatory is making a formal legal representation about the accuracy of the system description and control effectiveness.

Brief the signatory before they sign: they should understand the observation period, the criteria in scope, the controls described, and any notable exceptions. Signing without understanding what you are asserting creates reputational risk if the assertion is later found to be inaccurate.

In practice, the programme owner drafts the assertion (with the auditor's template), the executive reviews and signs. The signature is not ceremonial — it is a formal attestation.

Common Mistakes

Mistake 1: Having the wrong person sign. An individual contributor or a non-executive (e.g. Head of Security) signing the assertion is inappropriate. The AICPA expects management (C-level or senior VP) to sign.

Mistake 2: Not reviewing the system description before signing the assertion. The assertion says the description fairly presents the system. If you sign without reading Section III, you are asserting accuracy you have not verified.

Mistake 3: Including aspirational language. Do not add statements to the assertion about controls you plan to implement. The assertion covers what existed and operated during the report period.