Matters of opinion can be pretty contentious.
Vaudeville actor Will Rogers said it best: “a difference of opinion is what makes horse racing and missionaries.” The man may have grown up in the 19th century, but his words have serious longevity, especially in compliance.
You might not be dealing with horses or missionaries in your SOC examination, but you will be receiving an opinion from your auditor when they’re through evaluating your environment.
And like Will Rogers alluded to, the differences between these possible opinions can be massive. You need your opinion to be favorable if you’re to deliver the assurances your customers need regarding your security.
What would probably help is knowing all the variances and how your auditor can reach those opinions as they conduct their examination. In just the last year, Schellman has worked on over 1,000 SOC audits and we’ve either already given our opinion or we will at the end of each one.
In this article, we’re going to detail the different kinds of opinions your auditor can issue, and we’ll do that by defining each type. Understanding these classifications will not only support your growing knowledge of compliance at this early stage of your journey, but you’ll be more prepared for when the end of your audit arrives.
The Four Kinds of SOC Opinions
There are four different ways your SOC examination can finish. You’ll either receive one of the following:
- An adverse opinion
- A disclaimer of opinion
- A qualified opinion
- An unqualified opinion
What is an Adverse Opinion?
Let’s start with the possible bad news—an adverse opinion.
If you receive one of these from your auditor, this is unarguably the worst-case scenario because this is the most negative thing they can say.
When do auditors provide adverse opinions?
- Your auditor will give an adverse opinion when they’ve obtained sufficient evidence that concludes misstatement(s), either alone or in aggregate, of the system’s description and controls.
- Not only that, but those misstatements are both material and pervasive.
When they deliver this kind of opinion, they won’t mince words—they’ll use the phrasing “because of the significance of the matter.” Your auditor also won’t be just guessing—they’ll actually have sufficient evidence to support this conclusion.
In no uncertain times, this opinion will alert your customers or other readers of the report that they cannot rely on your organization’s scoped system.
What is a Disclaimer of Opinion?
We’ll continue to work upward in terms of desirable outcomes, which makes a disclaimer of opinion next. What does that actually mean? Your practitioner has no opinion at all.
You could receive this for a few reasons, such as:
- If your auditor was not being allowed by management to complete examination procedures; or
- If they did not receive sufficient evidence to support an opinion.
Though not as decisively negative, a disclaimer is obviously also not what you’d prefer as a result. Given how much time, money, and resources you’ll need to allocate for an audit effort, ensure that it’s enough so you’re more likely to receive the conclusion you want.
What is a Qualified Opinion?
Next, there’s a qualified opinion, which is what your assessor will express if they found issues that materially impacted an objective(s) or criteria, but were not prevalent throughout your scoped system.
That’ll tell your customers or report readers one of a few things:
- The system was not presented fairly (meaning, accurately, completely, or with all the relevant elements);
- That controls were not suitably designed to achieve their intended purpose; or
- Including the controls, the system was not operating effectively to achieve objectives or criteria.
Like an adverse opinion also has particular phrasing, a qualified opinion will be presented with the wording “except in the matter of…” or “except for…” Your assessor will also provide an additional explanatory paragraph regarding the specific issues.
While not optimal, in comparison with the previous two options, a qualified opinion is certainly a better outcome. It’s also quite common. It’ll still work and be mostly accepted by your customers reading the report.
After all, perfection is not the true goal of an audit. Your organization is in a constant state of corrective action and process improvement—or at least it should be. A qualified opinion will specify those areas you should focus on for that first.
Moreover, it will alert the auditors being used by your customers that, while they can place some reliance on your system, they may also need to perform additional testing to support their operations that are associated with your qualified opinion.
Meanwhile, you can expect to provide commentary, explanation, or corrective action plans either within or after the distribution of your report.
What is an Unqualified Opinion?
Finally, we come to it—the actual optimal result for your audit—an unqualified opinion, or in essence, a clean report. If a qualified opinion means your assessor had some reservations about your system or services, an unqualified one means they don’t have any. Your in-scope system and controls achieved their stated mission, based on specific criteria.
However, it’s important to note that an unqualified opinion doesn’t necessarily mean that your auditors didn’t report any findings within your examination report. Rather, if any findings were noted, they were just not material or pervasive enough to prevent the achievement of the specified objectives or criteria.
Still, when your auditor issues an unqualified opinion, they’re confirming that your system was presented fairly, in all material respects, and that everything worked as it should in meeting objectives/criteria with no modifications. It follows that this is the best outcome to present to your customers.
Getting Ready for Your SOC Examination
For Will Rogers, a difference of opinion meant horses and missionaries—for you, it may make the difference between alleviating customer apprehension and a waste of money.
Though your actual audit process still lies ahead, now that you understand all the different outcomes for your upcoming SOC examination, you’re ready to receive your eventual result. Let’s recap:
As you continue to explore the possibilities for a potential SOC audit of your organization, make sure you read our other content on the subject so that you can continue to set clear expectations for your organization moving forward:
- SOC 1 vs. SOC 2: Which is Best for Me?
- Should You Get a SOC 3 or a SOC 2 Examination? Understand Your Options
- SOC 2 vs. ISO 27001: What are the Differences?
After reading up, if you find you’d like to talk things through a bit further, please feel free to reach out to us. We’re happy to have a conversation regarding your particular concerns so you’re that much more at ease when taking these kinds of initiatives on.
About NICK BRUCE
Nick Bruce is a Senior Associate in the SOC Services practice of Schellman. As a part of the SOC Services group, Nick helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. His prior experience to Schellman includes nearly four years of “Big 4” experience at EY performing SSAE 16 SOC reports and ITGC evaluation for financial statement audit serving clients in the technology, insurance and not for profit industries.