In the event that a user obtains a System and Organization Controls (SOC) Report and sees that the service auditor has modified their opinion in some way, questions should surface for that user that they hope to have answered by continuing to read the report.
Since the service auditor is providing an opinion on whether (a) the description of the service organization’s system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), and (c) that those controls were operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), the user will want to know exactly which aspect of the opinion is modified.
A SOC report user will need to be presented with as much information as possible, regardless of what caused the modified opinion, so as to avoid needing to request additional information to understand its basis. For example, the report opinion might be modified because the pervasiveness of testing exceptions led to controls not operating effectively throughout the period. In this case, it is helpful for the report user to be able to understand the causative factors of the testing exceptions, the controls in place that mitigate the effect of the exceptions, what corrective actions management has taken, and any other information relevant to the exceptions that would help a user to understand how it has been addressed by management.
With this information at hand, the user can make an informed decision as to whether the report is sufficient for their specified purposes or if further third party risk management activities are necessary.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.