Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What Determines a Qualified Opinion in a SOC Report?

When undergoing a System and Organization Controls (SOC) examination, the idea is to gain independent validation regarding the controls you’ve put in place to protect your and your clients' assets and provide reassurance of your trustworthiness to your stakeholders. Unfortunately, sometimes controls fail to meet their intended objectives and criteria, resulting in your SOC auditors explaining the issue in your formal report—that explanation is called a “qualification.”

In fact, there are four different types of possible SOC opinions in total, with “unqualified” being the optimal result—in other words, your assessor has no reservations about your controls, system or services, which is exactly what your customers want to hear. So then, how does an organization score the less desirable—though not the worst-case scenario—result that is a qualified opinion in its SOC report?

As a leading provider of SOC reports, we have decades of experience offering all kinds of opinions to organizations seeking to successfully complete a SOC examination. In this article, we’ll detail further what causes a qualification in a SOC opinion, including specific examples, along with a potential solution that can help you avoid this result so that you understand better how to prepare for your evaluation.

Testing Exceptions vs. Qualified Opinion in SOC Reports

 

What is a SOC Testing Exception?

First, it’s important to distinguish between a testing exception and a qualified opinion, as your auditor disclosing the former does not necessarily mean you’ll receive the latter.

Depending on the type of SOC examination you’ve opted for, a control testing exception results for one of two reasons:

  1. (Type 1 or 2) A process is not suitably designed to consistently achieve an intended result (e.g., you do not have a vendor management program in place to routinely assess subservice organizations).

  2. (Type 2) A process is in place but did not operate as intended (e.g., you have a vendor management program stipulating that subservice organizations are assessed at least annually, but the review was not completed).

That being said, just because your auditor identifies a testing exception doesn’t automatically mean your report will contain a qualified opinion—testing exceptions are actually quite common. In theory, your auditors could find a myriad of exceptions and still provide an unqualified (i.e., a “clean” or “ideal”) opinion.

 

What Causes a Qualified SOC Opinion?

So what will yield a qualified (i.e., less than ideal) opinion?

Report Component

Issue in SOC 1 Reports

Issue in SOC 2 Reports

Controls

You receive a qualified opinion when you do not achieve a control objective.

You receive a qualified opinion when you do not meet a service commitment, based on predefined criteria.

Description of your Services (System)

You receive a qualified opinion if your description of your services has material omissions or disallowed content that could mislead the reader of the report.

That’s because these concepts are what you’re ultimately assessed against during a SOC examination. To ensure consistent evaluation across organizations and industries, your service auditor evaluates how you describe your services, system, and underlying controls (including internal controls) for what is referred to as “fairness of presentation”—that’s auditor speak for what essentially means they’re looking to confirm “truth in your advertising” in how you describe your organization, your services, goods, or cybersecurity program, and how your controls support achievement of your stated objectives/commitments:

    • Logical Access: Control activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized access or unintentional use, modification, addition, or deletion.
  • For a SOC 2, you’re assessed against a predefined set of criteria or “requirements.” These criteria are grouped into five trust service categories (TSCs)—you select which category(ies) are relevant to your service commitments and requirements before your auditor stacks your controls against the chosen criteria to evaluate how well you’re following through on all your promises. Examples of SOC 2 criteria you may be required to meet include:
    • Common Criteria (Security) CC9.2 The entity assesses and manages risks associated with vendors and business partners.
    • Availability A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

When you write your assertion, you declare that you have controls in place to either meet your SOC 1 control objectives or your service commitments based on the SOC 2 TSCs. But if your auditor examines them and finds deviations from the intended process that prevent the achievement of whichever goal, you’ll receive a modified report opinion, which could be bad (qualified) or really bad (adverse) based on the materiality and pervasiveness of the issues. (Your auditor should also explain the specific issues within their opinion.)

 

How to Avoid a Qualified Opinion in Your SOC Report

To avoid this, many organizations opt for a “defense-in-depth” implementation approach, which involves deploying multiple layers of controls to protect against a variety of threats & ensure your end goal can still be met, even if a single process deviates.

Let’s use the above SOC 1 Information Security control objective as an example—here it is again for convenience:

Control activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized access or unintentional use, modification, addition, or deletion.

 

Now, say you assert that you have the controls in place to meet that goal, but your auditor discovers that an account associated with a terminated employee retained privileged access to your organization’s claims system. At face value, this would be a testing exception that could lead to a qualification because your organization didn’t protect the system from unauthorized access, as specified in your objective. However, consider the following possibilities:

  • What if you’d also implemented layers of controls that included processes such as activity monitoring that would enable you to research if the account was actually accessed and/or claims were modified beyond the employee’s termination date?
  • What if you also required additional access to a separate network domain or system to gain admittance to the claims processing system, and the necessary account privileges were removed from that gateway system?
  • What if you regularly perform a review of user access, as well as their assigned roles, and caught the account needing removal?

Such defense-in-depth strategies regarding your information security may likely help secure a clean, unqualified SOC report despite the disclosure of that initial deviation (while also strengthening the security & integrity of your datakeeping).

 

Next Steps for Your SOC Examination

All that being said, it’s important to remember that receiving a qualified opinion doesn’t mean that you can’t rely on the controls supporting a particular area at all—a single qualification in one area doesn’t discount the other areas of your report that yielded no qualifications.

Remember, many qualifications are based on specific objectives or service commitments, so it’s entirely possible that some, but not all, of your objectives or commitments were achieved. Here’s a quick overview of possible SOC opinions to help:

  • If all your objectives or service commitments were achieved, you’ll receive an unqualified
  • If some of your objectives or service commitments were achieved, you’ll receive a qualified
  • If the majority or all of your objectives or service commitments were not achieved, you’ll receive an adverse opinion because the deficiencies are deemed to be both material and pervasive.

Again, the optimal result is an unqualified opinion, so no matter your barometer—SOC 1 or SOC 2, Type 1 or Type 2—your process flows should be understood & consistently applied to achieve the objective and/or commitment.

To learn more about SOC examinations, check out our extensive library of content on the subject, including these specific pieces that can inform your experience:

About COLLIN VARNER

Collin is a Senior Manager with Schellman Compliance, LLC based in Denver, Colorado. Collin is focused primarily on specializing in IT attestation, audit, and compliance activities as they relate to numerous standards including SOC, HIPAA, CMMC, and a suite of ISO standards. Prior to joining Schellman, Collin held roles tasked with planning, organizing, and managing multiple facets of information technology and security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting.