866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What Determines a Qualified Opinion in a SOC Report? Blog Feature
COLLIN VARNER

By: COLLIN VARNER

Print/Save as PDF

What Determines a Qualified Opinion in a SOC Report?

When undergoing a System and Organization Controls (SOC) examination, the idea is to gain independent validation regarding the controls you’ve put in place to protect your and your clients' assets and provide reassurance of your trustworthiness to your stakeholders. Unfortunately, sometimes controls fail to meet their intended objectives and criteria, resulting in your SOC auditors explaining the issue in your formal report—that explanation is called a “qualification.”

In fact, there are four different types of possible SOC opinions in total, with “unqualified” being the optimal result—in other words, your assessor has no reservations about your controls, system or services, which is exactly what your customers want to hear. So then, how does an organization score the less desirable—though not the worst-case scenario—result that is a qualified opinion in its SOC report?

As a leading provider of SOC reports, we have decades of experience offering all kinds of opinions to organizations seeking to successfully complete a SOC examination. In this article, we’ll detail further what causes a qualification in a SOC opinion, including specific examples, along with a potential solution that can help you avoid this result so that you understand better how to prepare for your evaluation.

Testing Exceptions vs. Qualified Opinion in SOC Reports

 

What is a SOC Testing Exception?

First, it’s important to distinguish between a testing exception and a qualified opinion, as your auditor disclosing the former does not necessarily mean you’ll receive the latter.

Depending on the type of SOC examination you’ve opted for, a control testing exception results for one of two reasons:

  1. (Type 1 or 2) A process is not suitably designed to consistently achieve an intended result (e.g., you do not have a vendor management program in place to routinely assess subservice organizations).

  2. (Type 2) A process is in place but did not operate as intended (e.g., you have a vendor management program stipulating that subservice organizations are assessed at least annually, but the review was not completed).

That being said, just because your auditor identifies a testing exception doesn’t automatically mean your report will contain a qualified opinion—testing exceptions are actually quite common. In theory, your auditors could find a myriad of exceptions and still provide an unqualified (i.e., a “clean” or “ideal”) opinion.

 

What Causes a Qualified SOC Opinion?

So what will yield a qualified (i.e., less than ideal) opinion?

Report Component

Issue in SOC 1 Reports

Issue in SOC 2 Reports

Controls

You receive a qualified opinion when you do not achieve a control objective.

You receive a qualified opinion when you do not meet a service commitment, based on predefined criteria.

Description of your Services (System)

You receive a qualified opinion if your description of your services has material omissions or disallowed content that could mislead the reader of the report.

That’s because these concepts are what you’re ultimately assessed against during a SOC examination. To ensure consistent evaluation across organizations and industries, your service auditor evaluates how you describe your services, system, and underlying controls (including internal controls) for what is referred to as “fairness of presentation”—that’s auditor speak for what essentially means they’re looking to confirm “truth in your advertising” in how you describe your organization, your services, goods, or cybersecurity program, and how your controls support achievement of your stated objectives/commitments:

    • Logical Access: Control activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized access or unintentional use, modification, addition, or deletion.
  • For a SOC 2, you’re assessed against a predefined set of criteria or “requirements.” These criteria are grouped into five trust service categories (TSCs)—you select which category(ies) are relevant to your service commitments and requirements before your auditor stacks your controls against the chosen criteria to evaluate how well you’re following through on all your promises. Examples of SOC 2 criteria you may be required to meet include:
    • Common Criteria (Security) CC9.2 The entity assesses and manages risks associated with vendors and business partners.
    • Availability A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

When you write your assertion, you declare that you have controls in place to either meet your SOC 1 control objectives or your service commitments based on the SOC 2 TSCs. But if your auditor examines them and finds deviations from the intended process that prevent the achievement of whichever goal, you’ll receive a modified report opinion, which could be bad (qualified) or really bad (adverse) based on the materiality and pervasiveness of the issues. (Your auditor should also explain the specific issues within their opinion.)

 

How to Avoid a Qualified Opinion in Your SOC Report

To avoid this, many organizations opt for a “defense-in-depth” implementation approach, which involves deploying multiple layers of controls to protect against a variety of threats & ensure your end goal can still be met, even if a single process deviates.

Let’s use the above SOC 1 Information Security control objective as an example—here it is again for convenience:

Control activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized access or unintentional use, modification, addition, or deletion.

 

Now, say you assert that you have the controls in place to meet that goal, but your auditor discovers that an account associated with a terminated employee retained privileged access to your organization’s claims system. At face value, this would be a testing exception that could lead to a qualification because your organization didn’t protect the system from unauthorized access, as specified in your objective. However, consider the following possibilities:

  • What if you’d also implemented layers of controls that included processes such as activity monitoring that would enable you to research if the account was actually accessed and/or claims were modified beyond the employee’s termination date?
  • What if you also required additional access to a separate network domain or system to gain admittance to the claims processing system, and the necessary account privileges were removed from that gateway system?
  • What if you regularly perform a review of user access, as well as their assigned roles, and caught the account needing removal?

Such defense-in-depth strategies regarding your information security may likely help secure a clean, unqualified SOC report despite the disclosure of that initial deviation (while also strengthening the security & integrity of your datakeeping).

 

Next Steps for Your SOC Examination

All that being said, it’s important to remember that receiving a qualified opinion doesn’t mean that you can’t rely on the controls supporting a particular area at all—a single qualification in one area doesn’t discount the other areas of your report that yielded no qualifications.

Remember, many qualifications are based on specific objectives or service commitments, so it’s entirely possible that some, but not all, of your objectives or commitments were achieved. Here’s a quick overview of possible SOC opinions to help:

  • If all your objectives or service commitments were achieved, you’ll receive an unqualified
  • If some of your objectives or service commitments were achieved, you’ll receive a qualified
  • If the majority or all of your objectives or service commitments were not achieved, you’ll receive an adverse opinion because the deficiencies are deemed to be both material and pervasive.

Again, the optimal result is an unqualified opinion, so no matter your barometer—SOC 1 or SOC 2, Type 1 or Type 2—your process flows should be understood & consistently applied to achieve the objective and/or commitment.

To learn more about SOC examinations, check out our extensive library of content on the subject, including these specific pieces that can inform your experience:

About COLLIN VARNER

Collin is a Senior Manager with Schellman Compliance, LLC based in Denver, Colorado. Collin is focused primarily on specializing in IT attestation, audit, and compliance activities as they relate to numerous standards including SOC, HIPAA, CMMC, and a suite of ISO standards. Prior to joining Schellman, Collin held roles tasked with planning, organizing, and managing multiple facets of information technology and security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.