When a service organization undergoes a SOC 1 or SOC 2 audit, the report will contain an auditor’s opinion surrounding the controls examined. The auditor comes to his/her opinion by determining whether:
- the description of the controls is presented fairly
- the controls are designed effectively
- the controls operate as intended over a specified period of time (Type II report only)
Unqualified Opinion = Gold Star. Unqualified means controls are described in a fair and accurate manner and operate effectively. Simply, the controls abide by all of the standards. Typical language is as follows (SOC 1, Type II):
In our opinion, in all material respects, based on the criteria described in the Company’s assertion in section II,
- the description fairly presents the System that was designed and implemented throughout the Period.
- the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the Period and user entities applied the complementary user entity controls contemplated in the design of the Company’s controls throughout the Period
- the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the Period.
[SOURCE: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1(R)) – Guide]
Anything other than unqualified, falls into the modified category. The auditor will issue a modified opininon if the controls fail to meet the standards of the above bullets or if the auditor cannot obtain sufficient and appropriate evidence. There are three potential modified opinions.
Qualified Opinion = Close, but not quite. Controls mostly abide by the standards, but fall short in a few areas. The auditor will state in specifics where the service organization failed to adhere to the standards. For example, a specific control or objective may have failed the auditors testing and is considered significant enough to be an exception. But for these specific item(s), the auditor believes the control environment is up to snuff! Typically, the opinion will describe the deficiancy and the subsequent paragraph will start with the following:
In our opinion, except for the matter referred to in the preceding paragraph, in all material respects, based on the criteria described in [service organization’s] assertion in section 2, ..
[SOURCE: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1(R)) – Guide]
Adverse Opinion = The service organization materially failed one or more of the standards. This is essentially a fail. Again, the auditor’s opinion will typically contain a paragraph describing the matters resulting in the adverse opinion followed by the opinion language. An example containing an adverse opinion on all the three components of the opinion is as follows:
In our opinion, because of the matter referred to in the preceding paragraph, in all material respects, based on the criteria described in [name of service organization’s] assertion in section 2,
- the description does not fairly present the [type or name of system] that was designed and implemented throughout the period.
- the controls related to the control objectives stated in the description were not suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period [date] to [date].
- the controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, did not operate effectively throughout the period from [date] to [date].
[SOURCE: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1(R)) – Guide]
Disclaimer of Opinion = This technically isn’t an opinion. It’s when an auditor decides not to issue an opinion. Auditors issue unqualified, qualified, and adverse opinions when they are confident in the evidence they have to support their opinion. If this is not the case, then a Disclaimer of Opinion will be issued. This can happen for various reasons. Some possible reasons are:
- Auditors do not have access to the information needed
- Auditors find themselves unable to complete in a neutral manner
So there you have it…the lowdown on opinions. Questions? Feel free to reach out to one of our SOC experts [email protected] or email me directly at [email protected].