How to Address a Modified Opinion in your SOC Report

In the event that a user obtains a System and Organization Controls (SOC) Report and sees that the service auditor has modified their opinion in some way, questions should surface for that user that they hope to have answered by continuing to read the report.

Since the service auditor is providing an opinion on whether (a) the description of the service organization’s system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), and (c) that those controls were operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), the user will want to know exactly which aspect of the opinion is modified.

A SOC report user will need to be presented with as much information as possible, regardless of what caused the modified opinion, so as to avoid needing to request additional information to understand its basis. For example, the report opinion might be modified because the pervasiveness of testing exceptions led to controls not operating effectively throughout the period. In this case, it is helpful for the report user to be able to understand the causative factors of the testing exceptions, the controls in place that mitigate the effect of the exceptions, what corrective actions management has taken, and any other information relevant to the exceptions that would help a user to understand how it has been addressed by management.

With this information at hand, the user can make an informed decision as to whether the report is sufficient for their specified purposes or if further third party risk management activities are necessary.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

National Flood Insurance Program Extension
Continued Compliance with CAISO SQMD Requirements in Non-Reporting Years
Bill S. 1564 Calls for Delay of CECL Implementation Until a Quantitative Economic Impact Study is Completed
Artificial Intelligence in Higher Education
Why Higher Education Institutions Must Comply with GDPR
Minimizing Higher Ed Risks - Utilizing Internal Audit and Data Analytics

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102