Written by: Erin Dunn
In our previous articles, we discussed the different SOC reports that can be issued as well as how reports can be issued covering an as of date or period of time. As a reader of these reports, the first section you will want to review is the Independent Service Auditor’s Report.
In this section, the service auditor will state their overall opinion based on the testing procedures that have been performed. There are multiple subject matters the auditor forms an opinion on. For a Type 1 SOC report, the auditor states an opinion on whether the system description is fairly presented and whether the controls presented in the report are designed effectively. For a Type 2 SOC report, the auditor states an opinion on whether the system is fairly presented, whether the controls presented are designed effectively and whether the controls presented in the report operated effectively. The following opinions can be issued by the service auditor:
- Unqualified
- Qualified
- Disclaimer
- Adverse
Below, we explain what each of these opinions mean for your report.
Unqualified Opinion
Although this opinion may sound negative, this is the desired opinion for a SOC report and indicates a “clean” report. An unqualified opinion indicates the service auditor concluded the system description is fairly presented, the controls are appropriately designed, and in the case of a Type 2 report, the controls operated effectively.
However, an unqualified opinion does not indicate there were no exceptions/deviations noted in the report. An unqualified opinion can still contain exceptions/deviations, but suggests these issues were not pervasive and did not cause concerns related to the areas where the service auditor is providing an opinion. The reader of an unqualified SOC report with exceptions should still read and understand the identified exceptions/deviations.
Qualified Opinion
A qualified opinion indicates that limited issues were identified related to the presentation of the system description, the design of the controls, or in the case of a Type 2 report, the operating effectiveness of controls.
The reason for the qualification will be explicitly stated in the Independent Service Auditor’s Report section. This will allow the reader of a qualified SOC report to know issues were encountered by the service auditor so additional research can be performed if the reader has concerns. Qualified opinions tend to be common for service organizations that underwent significant changes during a period and may have had a resulting lapse in their controls. The reader should assess if this is a “one-time” opinion issue or if the service organization is prone to such an opinion. While a qualified report is undesirable, this opinion is not uncommon and not as severe as the disclaimer and adverse opinions.
Disclaimer Opinion
A disclaimer opinion indicates the service organization did not provide the service auditor with enough information to form an opinion. As a result, the service auditor cannot provide an opinion on whether the system description is fairly presented, if the controls are appropriately designed, or if the controls operate effectively over a period of time. This opinion is very rare as most service organizations desire to demonstrate the effectiveness of their internal control environment.
Adverse Opinion
The final opinion type, an adverse opinion, should be a red flag for readers as it indicates significant issues based on the service auditor’s testing procedures. An adverse opinion indicates pervasive misstatements in the presentation of the system description, a significant number of controls were not effectively designed, or a significant number of control areas did not operate effectively. This is the worst opinion that can be issued for a SOC report, and should prompt the reader to immediately follow-up with the service organization to understand the cause of the issues and how they are being addressed.
While an unqualified opinion will be every service organization’s desired result, it is possible for one of the other opinion types to be issued. As a report reader, you are now equipped to understand the potential opinions and how it may impact your organization. Just remember, no matter the opinion of the report, you should truly review all the report contents and follow-up with the service organization if you have concerns or questions.
If your organization requires assistance auditing your SOC report, or even determining where to get started, reach out to Wolf’s SOC Reporting team today.
