OUR THOUGHTS ON:

How to Address a Modified Opinion in your SOC Report

Risk Advisory/Internal Audit|SSAE 18/SOC

By Nicole Healy

In the event that a user obtains a System and Organization Controls (SOC) Report and sees that the service auditor has modified their opinion in some way, questions should surface for that user that they hope to have answered by continuing to read the report.

Since the service auditor is providing an opinion on whether (a) the description of the service organization’s system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), and (c) that those controls were operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), the user will want to know exactly which aspect of the opinion is modified.

A SOC report user will need to be presented with as much information as possible, regardless of what caused the modified opinion, so as to avoid needing to request additional information to understand its basis. For example, the report opinion might be modified because the pervasiveness of testing exceptions led to controls not operating effectively throughout the period. In this case, it is helpful for the report user to be able to understand the causative factors of the testing exceptions, the controls in place that mitigate the effect of the exceptions, what corrective actions management has taken, and any other information relevant to the exceptions that would help a user to understand how it has been addressed by management.

With this information at hand, the user can make an informed decision as to whether the report is sufficient for their specified purposes or if further third party risk management activities are necessary.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments