Read more about the current Greenbook proposals. ...
This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.
In the event that a user obtains a System and Organization Controls (SOC) Report and sees that the service auditor has modified their opinion in some way, questions should surface for that user that they hope to have answered by continuing to read the report.
Since the service auditor is providing an opinion on whether (a) the description of the service organization’s system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), and (c) that those controls were operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), the user will want to know exactly which aspect of the opinion is modified.
A SOC report user will need to be presented with as much information as possible, regardless of what caused the modified opinion, so as to avoid needing to request additional information to understand its basis. For example, the report opinion might be modified because the pervasiveness of testing exceptions led to controls not operating effectively throughout the period. In this case, it is helpful for the report user to be able to understand the causative factors of the testing exceptions, the controls in place that mitigate the effect of the exceptions, what corrective actions management has taken, and any other information relevant to the exceptions that would help a user to understand how it has been addressed by management.
With this information at hand, the user can make an informed decision as to whether the report is sufficient for their specified purposes or if further third party risk management activities are necessary.
Read more about the current Greenbook proposals. ...
Learn more about the regional and national supply chain implications of the Baltimore Key Bridge collapse. ...
We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.
Ask us
[email protected]
p:412.261.3644
f:412.261.4876
[email protected]
p:614.621.4060
f:614.621.4062
[email protected]
p:571.380.9003