By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
SOC 2 Reports – Part 3
A discussion of the different types of opinions and what might drive the auditor to choose a particular opinion.
Most readers would regard the audit opinion as the centerpiece of the SOC 2 Examination Report. The audit opinion is included in the Independent Service Auditor’s Report, which is Section I of a SOC 2 report. The opinion is the overall conclusion arrived at by the service auditor. For better or worse, the extent of many readers’ due diligence of the SOC report simply includes flipping to the opinion, verifying it is “clean,” and closing the file until next year’s report.
What does the auditor opinE on?
The service auditor’s opinion addresses three subjects (two for a Type I):
- Whether or not the description of the system (Section III) is presented fairly.
- Whether the controls presented in the description were designed effectively.
- Whether the controls presented in the description were operating effectively. (SOC 2, Type II Report Only)
We dive into the details of each of these in Part 2 of this series: What Does the Auditor Opine On?
To arrive at the opinion over the three areas, the service auditor performs extensive testing and analysis and ultimately determines whether or not there are any material misstatements in the above areas. If there are material deviations, the auditor will modify the opinion. Otherwise, the auditor will issue an unmodified opinion.
Types of SOC Examination Opinions
There are several types of audit opinions that fall into two categories: unmodified and modified.
Service auditors issue unmodified opinions when there are no material inaccuracies in the description of the system and no material design or operating effectiveness issues discovered during the audit. The phrase “unmodified opinion” is still fairly new in the world of public accounting. For a long time, the technical phrase was “unqualified opinion,” to indicate the auditor issued their opinion without “except for” type qualifications. An unmodified opinion is colloquially referred to as a “clean opinion.”
Service organizations want to receive an unmodified opinion from their auditor.
Modified opinions come in three flavors: qualified opinions, adverse opinions, and disclaimer of opinions.
The service auditor issues a qualified opinion when either of the two conditions exist:
- The auditor finds misstatements that are material to the description, but believes they are limited to a specific area (not pervasive)
- The auditor is unable to obtain sufficient evidence for specific controls, and believes that possible effects on the description would be material but not pervasive to the description.
A service auditor’s report with a qualified report will feature a paragraph titled: Basis for Qualified Opinion in which the auditor discloses the rationale for the qualification. The following paragraph is the opinion, which essentially says, “In our opinion, except for the issues disclosed in the preceding paragraph…”. This is the “except for” qualifying statement which gives rise to the term qualified opinion.
An auditor issues an adverse opinion when the auditor is able to obtain sufficient evidence, but the evidence indicates that there are material and pervasive inaccuracies in the description and weaknesses in the design/operating effectiveness of the controls.
Adverse vs Qualified Opinion
Qualified and adverse opinions both find that the underlying causes for the modifications are material. However, the issues giving rise to a qualified opinion are not pervasive. Rather, those issues are confined to a specific area, for example, Change Management.
Disclaimer of Opinion
If the service auditor is not able to obtain sufficient appropriate evidence upon which to formulate an opinion, the auditor will issue a disclaimer and expressly state that they do not express an opinion on the subject matter. Disclaimers are extremely rare. Generally, organizations at most risk for a disclaimer are those that undergo a SOC 2 exam without any prior preparation.
Every SOC 2 examination yields a report, and each report yields a service auditor’s opinion. There are two primary types of opinions: unmodified and modified.
The unmodified opinion, long known as the unqualified or clean opinion, is the type of opinion for which service organizations strive. It indicates the auditor did not find any material issues during the audit.
Modified opinions, including qualified opinions, disclaimers of opinion, and adverse opinions are all undesirable outcomes for the service organization. Qualified opinions indicate the auditor found material issues with the report, but that the scope of the issues was limited. An adverse opinion, however, indicates the auditor found material issues that were pervasive to the subject matter. A disclaimer of opinion indicates that the auditor could not obtain sufficient audit evidence to issue an opinion and specifically indicates in the report that they are not issuing an opinion.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.