The Risk Assurance Manifesto

Listen to me discuss this post on my talk radio show below:

Listen to internet radio with Risk Assurance Talk Radio on Blog Talk Radio

rev·o·lu·tion [rev-uh-loo-shuhn] noun -A sudden, complete or marked change in something.

Every good revolution needs a manifesto, or at least a position statement that everyone can rally around, so I decided to put forth an initial draft.

For the purpose of this manifesto, "acknowledge" is used for our acceptance of factual statements, and "believe" is used for expressions of our convictions.

1.  We acknowledge that Statements on Standards for Attestation Engagements no. 16 (SSAE 16) is not designed to, and cannot provide assurance regarding security, availability, processing integrity, confidentiality, or privacy.  (More info)

2.  We acknowledge that Service Organization Controls (SOC) reports replaced SAS 70, and that SOC reports include SOC 1, SOC 2, and SOC 3 reports. (More info)

3.  We believe that an Internal Control over Financial Reporting (ICFR) is defined by a reasonable degree of risk separation between itself and the risk of material financial misstatement.  (More info)

4.  We acknowledge that service auditors fail to follow the SSAE 16 attestation standard if they conclude that non-ICFR controls are "reasonable in the circumstances" when they are included in SSAE 16 by management.  (More info)

5.  We acknowledge that SOC 2 is designed to and can provide assurance regarding security, availability, processing integrity, confidentiality, or privacy.  (More info)

6.  We believe that SOC 2 is the vehicle that will unify the risk assurance industry by allowing management to include PCI, HIPAA, NIST, CCM, ISO 27000, and other regulatory and industry standards as "other subject matter."  (More info)

7.  We believe that SOC 2 engagements should only be accepted by service auditors who use professionals with deep technical expertise of the subject matter being tested.  (More info)

8.  We acknowledge that there is an inherent conflict of interest created when service auditors provide risk assurance for the benefit of management rather than stake-holders.  (More info)

9.  We acknowledge the responsibility of stake-holders to verify that they are receiving adequate risk assurance from management, but that service auditors are not absolved of their responsibility to represent the stake-holder's interest above management's interest.  (More info)

10.  We acknowledge the supremacy of real-time assurance over period-of-time assurance over point-in-time assurance over management assurance.  (More info)

11.  We acknowledge that "bridge letters" are not to be offered by external auditors, and when they are offered by management, they are to be seen as management assurance. (More info)

Please feel free to challenge or agree with any of the above.  If you think it is too risky, please consider these words from Starbucks Chairman and CEO Howard Schultz:


  1. God, grant me the serenity to accept the things I cannot change,
    Courage to change the things I can,
    And wisdom to know the difference.
    ~Reinhold Niebuhr

  2. Thank you Phil. I look at it a little differently though...I do my best and leave the results to God. It is infinitely less stressful that way :')