The difference in how well a SOC 2 organization measures up is in the details. CPA firms who audit for SOC 2 compliance use exceptions and opinions, so it’s important to understand how these apply.
Audit exceptions are simply deviations from the expected result from testing one or more controls. Each control in a service organization’s description must be tested by an auditor to validate that the description is accurate and that controls are suitably designed and operating effectively to achieve the related control objectives or criteria. An auditor may use one or more tests to evaluate each control. As with any test, there are expected outcomes or responses.
The auditor must investigate the nature and cause of any audit exceptions identified to determine whether:
- The identified exceptions are within the expected rate of deviation and are acceptable.
- Additional testing of the control or of other controls is necessary to reach a conclusion about whether the controls related to the control objectives or criteria stated in management’s description of their system or services operated effectively throughout the specified period.
- The testing that has been performed provides appropriate basis for concluding that the control did not operate effectively throughout the specified period.
Audit exceptions can be intentional or unintentional, qualitative or quantitative, and include omissions. Auditors are required to make sure a service organization’s description is accurate and to include all design and operating deficiencies in the report—they no longer have discretion in determining whether or not to include exceptions.
There are three basic types of exceptions when it comes to SOC audits:
- Misstatements: a misstatement is used to refer to an error or omission in the description of the service organization’s system or services.
- Deficiency in the Design of a Control: a design deficiency is used when a control necessary to achieve the control objective or criteria is missing or an existing control is not properly designed (even if the control operates as designed) to achieve the control objective or criteria.
- Deficiency in the Operating Effectiveness of a Control: an operating deficiency is used when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
As you likely recognize, an exception is not a good thing. However, having an exception does not necessarily mean that a control fails, nor does a control failure mean that an objective or criteria is not met.
It is actually quite common for a SOC report to have some exceptions. Some clients and auditors reading an audit report actually like to see one or two exceptions in a report because it gives them some comfort that the auditor is doing a thorough job.
Exceptions lead to Opinions.
When a service organization undergoes a SOC 1 or SOC 2 audit, the report will contain an auditor’s opinion surrounding the controls examined. The auditor comes to his/her opinion by determining whether:
- The description of the controls is presented fairly
- The controls are designed effectively
- The controls operate as intended over a specified period of time (Type II report only)
- Unqualified Opinion
Unqualified means controls are described in a fair and accurate manner and operate effectively. Simply, the controls abide by all of the standards.
2. Modified Opinion
Anything other than unqualified falls into the modified category. The auditor will issue a modified opinion if the controls fail to meet the standards, or if the auditor cannot obtain sufficient and appropriate evidence.
3. Qualified Opinion
Controls mostly abide by the standards, but fall short in a few areas. The auditor will state in specifics where the service organization failed to adhere to the standards. For example, a specific control or objective may have failed the auditors testing and is considered significant enough to be an exception. But for these specific item(s), the auditor believes the control environment is up to snuff!
4. Adverse Opinion
The service organization materially failed one or more of the standards. This is essentially a fail. Again, the auditor’s opinion will typically contain a paragraph describing the matters resulting in the adverse opinion followed by the opinion language.
5. Disclaimer of Opinion
This technically isn’t an opinion. It’s when an auditor decides not to issue an opinion. Auditors issue unqualified, qualified, and adverse opinions when they are confident in the evidence they have to support their opinion. If this is not the case, then a Disclaimer of Opinion will be issued.
Type 1 or 2
While this is one of the most misunderstood parts of SOC reports it’s very simple.
A type 1 report is a report that says on the date the audit was performed and ONLY on that date was the system in question as described in the report.
So if you have never done a SOC report before or if you know that in the past you would have had negative opinions or exceptions but you have fixed those things, you do type 1.
Type 2 means that the auditor used evidence to verify that during a particular time frame the system was as described in the report. For example a type 2 report would say From 01/01/2019 – 7/12/2019.
While not a CPA firm to audit for SOC 2, Foresite helps clients to identify which level of compliance they should aim for to meet their objectives/requirements and how to prepare to pass an audit.