Qualified Opinions

What is a qualified opinion and what does it mean?

A qualified opinion means that either the internal controls were not designed (Type I or II) or operating (Type II only) effectively for one or more control objectives.  Qualified opinions (also known as “dirty opinions” in audit jargon) are actually quite common.  Most service organizations that have received a qualified opinion received it in the first year of the examination.  The reason is some service organizations have trouble following processes in a consistent manner and documenting that controls are working.

A qualified opinion means that the user organization and the user auditor cannot place reliance on the controls supporting a particular area at the service organization.  Here’s a scenario, a service organization is performing fund accounting activities and is responsible for accurately calculating and recording the cost of securities.  This service organization fails to accurately calculate the securities during the coverage period.  Therefore, the control objective that this activity relates to would be qualified and reflected in the wording of the opinion on the report.

Service auditors and organizations alike should not back down from a situation where the report needs to be qualified.  Management should recognize mistakes or other errors in processing and auditors should not be afraid to call out a problem.  Both parties should place public interests first and foremost and sometimes this means, “calling a spade a spade.”

3 thoughts on “Qualified Opinions

  1. What additional steps do you take as auditors to ensure you are comfortable with the service provider used by a client (given their service provider has been issued a qualified opinion due to the failure of multiple IT control processes)?

  2. The service organization’s qualified opinion should be viewed in the context of the services that are provided to the user organization. Not all controls are created equal and therefore requires careful analysis to see what risks are not being covered due to control deficiencies. In some instances, it may necessitate the user organization to implement new controls. In other instances, it may be better for user organization to find a new provider (service organization). Still, in other instances, it may mean nothing. Context and risks of what can go wrong are the key consideration when evaluating a qualified opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *