SOC Qualified Opinions & What they Mean for Your Organization

SOC qualified opinions and what they mean

Qualified opinions mean that either the internal controls were not designed (Type I or II) or operating (Type II only) effectively for one or more control objectives included within a SOC 1 report or Trust Services Criteria included within a SOC 2 report.

In a SOC report, management asserts that certain controls are in place. If the auditor performs test procedures that contradict management’s assertion, they may issue a qualified report opinion. See our recent blog post on assertions.

Qualified opinions (also known as “dirty opinions” in audit jargon) are actually quite common. Many service organizations that have received a qualified opinion received it in the first year of the examination, but it’s also common for control failures to occur when controls have operated successfully in the past. One common reason for report qualification is due to employee turnover if a control performed by a former employee is no longer performed consistently by another employee.

A qualified opinion means that the user organization and the user auditor cannot place reliance on the controls supporting a particular area at the service organization. Note that a single qualification does not mean that reliance may not be placed on other areas of the report with no qualifications.

Example: A service organization fails to disable access for a former employee. The employee continues to access the service organization’s systems following termination as evidenced by logs. In this case, there would be a logical access qualification within the report which would be reflected by the CPA firm’s opinion in the report.

Service auditors and organizations alike should not back down from a situation where the report needs to be qualified. Management should recognize mistakes or other errors in processing and auditors should not be afraid to call out a problem. Both parties should place public interests first and foremost, and sometimes this means “calling a spade a spade.”

How Bad is a Qualified Report Opinion?

How bad is a qualified report? This question comes up almost every time a qualified report is issued to a service organization. The person asking this question is usually comparing a qualified service auditor’s report (e.g., SOC 1) to a going concern opinion on a financial statement audit. Both are bad. But how bad?

A going concern opinion often means the organization is in financial peril and may meet its demise very soon. However, a qualified opinion on a service auditor’s report is more akin to a material internal control weakness disclosure for SEC registrants who have to issue such disclosures for Sarbanes-Oxley Act purposes.

A qualified opinion in a service auditor’s report is similar to a significant deficiency or material weakness in internal control disclosure. All should be avoided by management. Though the going concern opinion is the worst of the opinions just described.

Qualified Report Opinion vs. Going Concern

What is a going concern? A going concern is the ongoing assumption that an organization or entity will continue to operate for a period of time sufficient to meet its obligations. A SOC report qualification is related to one or more areas covered in the scope of the report and does not relate to the ongoing operation of a service organization. It is possible for an organization with a going concern to have no issues in its SOC report, but still have an issue related to going concern. It is also possible that an organization has a qualified report, but no issues relating to going concern.

Four types of audit opinions

Four Types of Audit Opinions

Below are the four types of audit opinions and their definitions:

  1. Unmodified – This is a clean report opinion with no modifications.
  2. Qualified – Qualified opinions are expressed when auditors conclude that they cannot express unqualified opinions, and the effects of disagreements with the organization’s management or limitation of scope is not so pervasive and material as to require adverse opinions or disclaimers of opinions. The example above related to logical access would result in a report qualification and unless there were pervasive issues across other areas of the report, there would not be an adverse opinion.
  3. Disclaimer – A disclaimer opinion is provided when auditors can’t express an opinion. This typically occurs when an organization limits the auditors. For example, if the company does not provide the auditors with adequate information to give an opinion, the CPA firm may disclaim their opinion. Other instances when auditors may not be able to render an opinion include when books of accounts are not appropriately maintained and when the auditors are unable to perform procedures they believe are necessary.
  4. Adverse – An adverse opinion is the most severe opinion that a CPA firm can provide. Misleading or incomplete financial statements may lead auditors to give an adverse opinion. An adverse opinion in the context of a SOC report often means that the report users cannot place any reliance on the service organization’s system.

How to evaluate a modified report opinion

How to Evaluate a Modified Report Opinion Related to Your Service Organization

What if you request your service organization’s control report and it contains a qualified opinion? Should you be concerned? The answer is… it depends. The qualified area of the report must be considered in relation to the services being utilized by the user organization.

For example, if there is a qualification related to physical access which is an aspect of a service organization’s service that is not relevant to the user organization, then it is possible that the qualification in that area is not relevant to the report user. If an organization is considering outsourcing the physical security of its servers to another service organization and the service organization has a qualified physical access control objective, the service organization may consider using a different subservice organization.

Summary

To summarize, SOC report qualifications are fairly common. They relate to an area of the report that an auditor finds exceptions related to. If the exceptions are severe enough in a particular area the auditor may provide a qualified opinion related to the area with issues.

Qualified opinions should be considered in context to the services being received by a user organization. If the qualification potentially impacts the services provided to a user organization, the user organization must consider whether the issues are severe enough to warrant using a different service organization.

See other recent blogs related to SOC reports: What is a SOC 1 Report? and what is a SOC 2 Report?

4 thoughts on “SOC Qualified Opinions & What they Mean for Your Organization

  1. What additional steps do you take as auditors to ensure you are comfortable with the service provider used by a client (given their service provider has been issued a qualified opinion due to the failure of multiple IT control processes)?

  2. The service organization’s qualified opinion should be viewed in the context of the services that are provided to the user organization. Not all controls are created equal and therefore requires careful analysis to see what risks are not being covered due to control deficiencies. In some instances, it may necessitate the user organization to implement new controls. In other instances, it may be better for user organization to find a new provider (service organization). Still, in other instances, it may mean nothing. Context and risks of what can go wrong are the key consideration when evaluating a qualified opinion.

  3. Are there regulations which stipulate when a SOC 2 report is required, and what the auditor’s credentials are required to be? I’m hearing “CPA” as a requirement, but I don’t find it in the regulations. Any insight would be most appreciated.

  4. Each state has its own accountancy rules (see https://www.colorado.gov/pacific/dora/Accountancy_Laws) for Colorado’s. All states require attestation engagements to be performed by CPAs with the requisite knowledge to perform an examination. Generally Accepted Auditing Standards (GAAS) stipulate that “the auditor must have adequate technical training & proficiency to perform the audit”. CPAs must adhere to these standards.

    There are no regulations which stipulate when a SOC 2 report is required.

Leave a Reply

Your email address will not be published. Required fields are marked *