In the event that a user obtains a System and Organization Controls (SOC) Report and sees that the service auditor has modified their opinion in some way, questions should surface for that user that they hope to have answered by continuing to read the report.
Since the service auditor is providing an opinion on whether (a) the description of the service organization’s system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), and (c) that those controls were operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria (SOC 2) or control objectives (SOC 1), the user will want to know exactly which aspect of the opinion is modified.
A SOC report user will need to be presented with as much information as possible, regardless of what caused the modified opinion, so as to avoid needing to request additional information to understand its basis. For example, the report opinion might be modified because the pervasiveness of testing exceptions led to controls not operating effectively throughout the period. In this case, it is helpful for the report user to be able to understand the causative factors of the testing exceptions, the controls in place that mitigate the effect of the exceptions, what corrective actions management has taken, and any other information relevant to the exceptions that would help a user to understand how it has been addressed by management.
With this information at hand, the user can make an informed decision as to whether the report is sufficient for their specified purposes or if further third party risk management activities are necessary.