What is a qualified SOC report and is it bad? These questions come up almost every time a qualified auditor report is issued to a service organization. The person(s) asking these questions are usually comparing a qualified service auditor’s report (SOC 1 or SOC 2) to a going concern opinion on a financial statement audit. Both are concerning, but how do they differ? What is the difference between a qualified SOC report and an unqualified SOC report? What are the types of opinions a SOC report can receive? How bad is a qualified audit report? In this post, we will cover these questions in order for users to better understand SOC report opinions.
What Type of Audit Reports Have These Opinions?
The types of audit reports and the associated opinions we will be discussing in this post are SOC 1 and SOC 2 Reports. SOC stands for ‘System and Organization Controls’ and are governed by the AICPA, specifically the SSAE 18 standard. Below is a brief overview of SOC 1 and SOC 2 reports:
- A SOC 1 report is an attestation report in which management defines the controls in place at the service organizations that are relevant to control objectives that are key to the services they provide to their clients. Typically, these controls are a mixture of IT and business processes and the services covered impact a client’s internal controls over financial reporting. Management provides an assertion as to whether these controls were designed (Type I) and operating (Type II) effectively and a CPA firm then issues an opinion on whether or not they agree with this assertion.
- A SOC 2 report is also an attestation report in which management defines the controls in place at the service organization that are relevant to the AICPA’s Trust Services Criteria; Security (Common Criteria), Availability, Confidentiality, Processing Integrity, and Privacy. Management provides an assertion as to whether these controls were designed (Type I) and operating (Type II) effectively and a CPA firm then issues an opinion on whether or not they agree with this assertion.
A SOC 1 and SOC 2 report can be one of two types of reports; a Type I or a Type II. A Type I SOC report is issued stating that a service organization’s controls are designed effectively at a point in time. A Type II SOC report is issued stating that a service organization’s controls are designed AND operating effectively for a specified period of time. For further information, please refer to our article which discusses the differences between A Type 1 vs Type 2 SOC Reports.
What are the Four Types of Audit Opinions?
The four types of opinions SOC reports can be issued with are; unqualified, qualified, disclaimer, and adverse opinions.
A disclaimer opinion typically means that the service auditor was unable to issue an opinion as they were limited by the service organization in the information they requested or procedures performed.
An adverse opinion is the worst opinion that can be issued. An adverse opinion indicates that the users of the SOC report can not place any reliance on the service organization’s system.
In both cases, the user may want to communicate with their service provider to better understand the circumstances that drove the service auditor to issue these opinions and possibly switch service providers. Continue reading for information on what an unqualified report opinion and a qualified report opinion means.
What is an Unqualified Audit Report?
What does it mean when your SOC report has an unqualified opinion? An unqualified opinion indicates that the controls tested as part of the report appear to be designed (Type I) and operating (Type II) effectively. An unqualified opinion doesn’t mean there were no issues/exceptions identified by the service auditor. An unqualified report can have issues identified by the service auditor in the testing they performed. If issues were identified but the report was unqualified, then the service organization and their auditors were able to mitigate and/or remediate the risks presented by the issues and the control was deemed effective despite these issues.
By issuing an unqualified report with issues, the service auditor did not believe that the issues identified resulted in a material weakness in the control environment. The user of the report will still want to understand the issues identified, but with an unqualified report opinion, the service auditor’s opinion is that the user of the report can place reliance on the service organization’s system.
What is a Qualified Audit Opinion?
If a SOC report is issued with a qualified opinion, it indicates that a control or controls were not designed (Type I) and operating effectively (Type II). A qualified report indicates that issues identified in the report were significant enough to deem one or more controls ineffective. Qualified report opinions are actually quite common and they are not considered as severe as an adverse or disclaimer opinion.
What does it mean for the user obtaining a qualified SOC report from their service provider? A qualified SOC report does not mean that you can not rely on the report at all. The control objectives in the report that are designed and/or operating effectively can still be relied upon in most cases. It is the control(s) with deficiencies that will need further work on the part of the user.
For financial statement purposes, a client’s external auditor may be able to perform additional testing on secondary controls at the user level to mitigate the risk presented by the ineffective control(s) in the SOC report. It will depend on the user of the report to examine the services rendered by the organization and the controls they have in place at their organization to determine how much, if any, reliance will be placed on a qualified report.
For further information regarding qualified audit opinions and how they affect organizations, refer to our article, SOC Qualified Opinions & What they Mean for Your Organization.
What is the Difference Between a Qualified and Unqualified Audit Report?
As stated above, if a SOC report is issued with a qualified opinion, it indicates that a control or controls were not designed (Type I) and operating effectively (Type II). An unqualified opinion indicates that the controls tested as part of the report appear to be designed (Type I) and operating (Type II) effectively.
Both reports can have issues/exceptions identified by the service auditor but the key difference is that in an unqualified report, the controls were still deemed effective despite any issues that may have been identified. Whereas, with an unqualified report, a control or controls were found to not be either designed and/or operating effectively. For the user of the report, a qualified audit report will mean more work for them in order to determine how the control deficiencies impact their control environment and how to mitigate the risk of these controls not being designed or operating effectively.
Many times we get the question, “how bad is a qualified report?” and the answer is always, it depends. It depends on the controls in question that failed and how those control failures impact the users of the report. In many cases, users of the service organization have compensating controls in place that can help mitigate the risk presented by the failure of the controls at the service organization. Other times, additional audit procedures can be performed by the user entity to determine if the controls that failed impacted their control environment or financial statements and to what extent.
How is a Going Concern Opinion Different From a Qualified Report?
A going concern opinion often means the organization is in financial peril and may meet its demise very soon. However, a qualified opinion on a service auditor’s report is more akin to a material internal control weakness disclosure for SEC registrants who have to issue such disclosures for Sarbanes-Oxley Act purposes. A qualified opinion in a service auditor’s report could be described as similar to a significant deficiency or material weakness in internal control disclosure.
All should be avoided by management. Though the going concern opinion is the worst of the opinions just described.
Summary
There are four different opinions that can be issued with a SOC report; unqualified, qualified, disclaimer, and adverse. Though a qualified report opinion is not ideal, many service organizations issue a qualified report at some point in time, especially in their first year of issuing a SOC report.
A qualified report is not the worst-case scenario when issuing a SOC report, but a service organization should strive to obtain an unqualified opinion. An unqualified report does not indicate that no issues were identified, but rather that the service organization’s controls are designed (Type I or II) and operating (Type II) effectively.
Regardless of the opinion issued with the report, it is up to the user of the report to determine how the results of the report affect the services being provided to them.
If you have further questions on how to obtain a SOC report for your service organization, please review our SOC 1 audit and SOC 2 audit pages. Contact us for assistance with your SOC reporting and other auditing needs.
This article was originally published on 12/12/2018, and was updated on 1/27/2021.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.