At Linford & Company we perform many SOC 1 (f. SSAE 16) and SOC 2 engagements. Standards for Attestation Engagements No. 16 (SOC 1) is an attestation standard where a service organization’s auditor issues an opinion on a service organization’s internal controls over financial reporting. The Service Organization Controls 2 (SOC 2) reports are based on the AICPA’s Trust Service Principles and Criteria for Security, Confidentiality, Availability, Processing, Integrity and Privacy.
The issued report represents that the service organization has been through a thorough examination of relevant control objectives and related control activities that include internal controls over financial reporting (for a SOC 1) or over the included Trust Service Principles (for a SOC 2). The opinion section in the report will contain the auditor’s opinion which opines if the service organization’s description of controls is presented fairly, the controls are designed effectively, and that the controls are operating effectively over a specified period of time.
So, how are issues or findings represented in a report by the service organization’s auditor, and what impact does that have on the reader of the report (user entity)? Within each SOC report there is a section (generally section IV) that lists out the specific control activities that are tested, how they are tested and the results of the testing. If issues are identified in the testing, the service organizations’ auditor will include details of the findings in this section and management from the service organization will be able to include a response to the issue. The service auditor will consider all issues or findings in this section to determine if the report gets a qualified opinion.
A qualified opinion means that either the internal controls were not designed (Type I or II) or operating (Type II only) effectively for one or more control objectives or for one or more of the Trust Service Principles. A qualified opinion means that the user organization and the user auditor cannot place reliance on the controls supporting a particular area at the service organization.
As the User Entity, it is important to assess the risk of any findings noted in a SOC report, even if the findings do not aggregate to qualify the opinion of the SOC report. Once the risk has been assessed, the identification of any compensating or risk mitigating controls should proceed by the user entity. If findings in tests of controls have been identified, management at the service organization may disclose the cause of the finding, corrective actions taken or other qualitative factors that would assist readers of the SOC report in understanding the effect of the exceptions.
User entities should determine how any exceptions could impact the financial statements in question for a SOC 1, or in the case of a SOC 2, the user entity should assess the service organization’s ability to meet Service Level Agreements.