Understanding SOC 2 Opinions

If you just received a SOC 2 report and do not know where to start analyzing, this blog is for you!

SOC 2 reports can easily reach 50+ pages and can be too dense to understand right away. Reading it line by line could take a whole day. Let us simplify how to read the report and understand how a SOC 2 opinion can improve your company or determine if the vendor whose report you’re reading is right for you!

Verify the Auditor

The first step before digging into the report is to verify the audit firm that developed the report. Here are some questions to ask that will help with this:

  • What is the audit firm’s reputation?

In addition to evaluating typical criteria such as industry recommendations and time in business, you can also check out the audit firm’s peer review status.

The American Institute of Certified Public Accountants (AICPA) requires any SOC report to be issued by a licensed Certified Public Accountant firm and requires audit firms to complete an independent AICPA Peer Review of its auditing practice every three years. Check out how risk3sixty Compliance completed its peer review in 2019.

  • Is the audit firm independent of the Company?

The AICPA requires that the audit firm be independent of the service organization. This means the audit firm cannot act on the Company’s behalf. The audit firm can advise you on how to meet the SOC 2 criteria, but they are not able to implement or operate any controls to meet the SOC 2 criteria. Failure to maintain auditor independence could result in consequences from the AICPA and U.S. Securities and Exchange Commission.

Understand the Auditor’s Opinion

The second step is to check the auditor’s opinion located in the executive summary of the report. The opinion from the audit is decided from the following items:

  • If the controls were suitably designed
  • If the controls’ descriptions were presented in accordance with the AICPA description criteria
  • If the controls operated effectively over a specified period of time
  1. Unqualified Opinion

An Unqualified Opinion is what you should strive for in a SOC 2 audit. The controls provide assurance that the Company can achieve its service commitments and system requirements.

Having an unqualified opinion does not mean there were no exceptions. Exceptions can still exist if there are sufficient compensating controls to limit the overall risk. Compensating controls help the control environment meet the requirements as described by the SOC 2 criteria.

  1. Qualified Opinion

A Qualified Opinion results from material misstatements of the description or deficiencies in the design or operation of controls. Generally, a Qualified Opinion is rendered when the Company believes they are operating well, but the audit firm says there are some aspects of the Company that are not suitably designed or operating effectively. On the bright side, a Qualified Opinion suggests the issues identified are not too severe to make it an adverse opinion.

  1. Adverse Opinion

If you have received an adverse opinion in the report, this should be a major concern. This means that multiple controls and standards have failed, and the auditor could conclude the following based on the SOC 2 report:

  • The description does not present the system in accordance with the description criteria.
  • The controls were not suitably designed/operated effectively to provide reasonable assurance that the Company’s service commitments and system requirements would be achieved based on the applicable trust services criteria.
  1. Disclaimer of Opinion

This opinion means an opinion cannot be generated by the auditor as they were not able to validate if the controls are effective for the period. This opinion is rarely issued.

One way to avoid issuing this opinion is to update the test procedures for what can actually be tested based on the current environment of the controls. For example, the control design for physical security can be updated based on the effects of COVID-19. The Company taking pictures of key card scanners or cameras can be used as evidence instead of the auditor physically inspecting the scanners or cameras.

Validate the Audit Scope of the Opinion

The third step is to validate the scope of the SOC 2 report. The opinion of the SOC 2 Report does not always cover all of the solutions offered by a service organization. Some SOC 2 reports could only cover a single solution provided by the Company.

Any new Company services/solutions that are not described in the system description and controls will not be considered under the SOC 2 opinion.

Learn from the Opinion

The final step is to learn from the SOC 2 opinion and use the lessons to improve. Regardless of what the finalized auditor opinion is, here’s a starting roadmap toward improvement:

    1. Analyze the exceptions and make management action plans to remediate.

These should be a top priority for the Company to remediate for the upcoming year. Exceptions are vulnerabilities for the Company and red flags for vendors and clients. Creating an action plan to remediating the exceptions can prove that the Company is committed to providing secure, trustworthy services.

    1. Analyze the opportunities for improvement for the non-exceptions.

Even though there was no exception in the design of controls, you need to be aware of the best practices and focus on constantly improving. Some opportunities for improvement might become exceptions in the future based on the nature of the control. These suggestions should not affect the vendor and the client’s decision making, but it can provide further assurance that the Company is committed to improving.

    1. Review the design of the controls.

As the Company and services continue to grow and adapt to the market, the Company should stay on top of the security story that is being told and ensure the controls are still relevant based on the report. Review with the SOC 2 auditor before the next audit to ensure the control environment is still relevant and effective.

Conclusion

Having an unqualified opinion is the ideal situation, but having a qualified, adverse, or disclaimer opinion does not mean the end for your business. At risk3sixty, we specialize in SOC 2 compliance and can help you demonstrate the effectiveness of your security program to clients, prospects, vendors, and business partners.

If you are interested in our services, reach out to our SOC 2 experts to get started! You can learn about the basic process of getting a SOC 2 report here.

Share to

Share

Share to

Like our content? Subscribe and stay informed.