It is not unusual for an organization that is engaged in its first SOC 2 audit to receive a qualified (i.e. modified) opinion from its SOC auditor as it pursues the path toward a more robust and mature set of controls. It is also common for organizations that are in the midst of significant change or growth to receive a qualified opinion, even if they have many years of SOC 2 experience. A qualified opinion may be issued on a SOC 2 report for a variety of reasons. Here we consider the different reasons a SOC 2 report may be issued with a qualified opinion, SOC auditor considerations when issuing a qualified opinion, and what that may mean for the recipients of such an opinion.
A SOC auditor may issue a qualified opinion based on:
- A deficiency in the suitability of the design of controls.
- A deficiency in the operating effectiveness of controls (type 2 only).
- A conclusion that the system description is misstated.
- A situation where the auditor is unable to obtain sufficient appropriate evidence.
In determining whether to modify the opinion, the SOC auditor considers the individual and aggregate impact of identified deficiencies, misstatements, or scope limitations.
Suitability of the design of controls
When considering the suitability of the design of controls, management of the service organization receiving the SOC report designs and implements controls to provide reasonable assurance that its service commitments and system requirements are achieved, based on the trust services criteria applicable to the report. To do this, management should identify the risks that threaten the achievement of its commitments and objectives and address them by designing and implementing controls to mitigate such risks. The SOC auditor will gain an understanding of the risk assessment process and assess whether the controls have appropriate linkage to the risks that they are intended to mitigate. In other words, do the set of controls adequately address the risks that threaten the achievement of the service commitments, system requirements, and trust services criteria if they are operating effectively? A design deficiency can occur when a necessary control is missing to accomplish this, or simply if an existing control is not properly designed as described above. A control found to have a deficiency in its design cannot be an effective control, no matter how well it functions. If the service organization has a design deficiency and no compensating controls are in place that allow it to meet the service commitments, system requirements and applicable criteria, then a qualified opinion may be issued related to the criteria that were not met as a result of the deficiency. Common design issues include:
- A control that has been assigned to an individual that does not have the appropriate authority and/or competence to perform the control as designed.
- Lack of segregation of duties.
- Inappropriate frequency of the operation of a control.
- Inappropriate nature of a control (i.e. manual vs automated or preventive vs detective).
- Control that is too complex, such that it lessens the effectiveness of the control.
Operating effectiveness of controls
A deficiency in the operation of a control exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. The SOC auditor’s objective here will be to obtain evidence that the control is being performed as designed, in a manner consistent with the control description, and by appropriate personnel according to company policy. Failure to perform a well-designed control will result in exceptions. Not all exceptions are treated the same, however. This is also true for assessing the suitability of the design of controls. Exceptions noted for controls that are key to meeting the commitments, requirements and criteria are likely to result in a qualified opinion. For example, the CC9.2 criteria in a SOC 2 report requires that the service organization assess and manage the risks associated with vendors and business partners. A key control for this criteria would be management’s annual review of sub-service organization attestation reports. Failure to do this would result in an exception. If there were no compensating controls, this would result in a qualified opinion because criteria CC9.2 was not adequately addressed. In contrast, if there are criteria for which multiple controls are operating effectively but one non-key control has a noted exception, a qualified opinion may not be issued. There is a degree of professional judgment involved on the part of the auditor, but it comes down to meeting the criteria. If the operation of one or two controls is largely responsible for meeting the criteria and an exception is noted, a qualification with regards to that criteria will be more likely. Qualitative characteristics of exceptions are also considered. For example, if privileged access for a terminated user is required by policy to be removed within 24 hours of termination, an exception for access removal at 48 hours is less severe than if access had been removed after 6 months. This can be considered when determining whether a report is qualified.
Misstated or misleading system description
As part of the SOC engagement, the SOC auditor will evaluate whether the system description is misleading. The auditor will consider whether the system description contains statements that cannot be objectively evaluated, contains or implies facts that are not true, or distorts material information that might affect the decisions of the report users. Ordinarily, the SOC auditor will present such cases to management and ask that the description be amended. If management refuses to amend the description, this may lead to a qualification.
Scope limitation
A scope limitation occurs when the auditor is unable to obtain sufficient appropriate evidence to make their conclusion. A qualified opinion would be issued in line with the same reasoning described earlier. If a scope limitation exists surrounding a control that is key to meeting one of the trust services criteria, then a qualified opinion may be issued with respect to that criteria. If controls of a less critical nature cannot be evidenced due to a scope limitation, qualification would be less likely. Scope limitations include:
- Circumstances beyond the control of management, which results in the inability to produce the documents that the auditor considers necessary to test a control. For example, an office containing physically maintained human resource documents may have been affected by a natural disaster. Thus, documentation related to certain human resource related controls would not be able to be provided by management.
- Circumstances related to the nature and timing of the SOC auditors work. For example, a procedure may have been performed by the organization prior to the examination period or was performed inconsistently during the period, and thus was unable to be observed. Scope limitations of this nature may be avoided if alternative procedures can be performed.
- Limitations imposed by management that prevent the SOC auditor from performing a procedure that they consider necessary. This could occur if company policy prohibits the sharing of certain information that the auditor may consider necessary to test a control. In this case, a scope limitation would describe that evidence could not be obtained to determine that a particular control was operating as designed.
Implications of a qualified opinion
What does it mean for an organization to receive a qualified opinion? Does it mean that the report cannot be relied on by its users when making business decisions, or that the company has failed to meet its customer’s trust and security requirements? The answer is that “it depends”. It is important for each user entity to determine the severity of the qualification as it pertains to their individual vendor requirements and risk tolerances. What might be considered a deal breaker by one user entity might be considered a moderate or lower risk by another. SOC reports can be qualified based on one or many deficiencies and it is not uncommon for companies new to SOC examinations to receive a qualified opinion. Although qualified opinions are not the desired outcome of a SOC 2 audit, they are not uncommon and can pave the way for remediation and improvement efforts by the service organization.