Qualified opinions mean that either the internal controls were not designed (Type I or II) or operating (Type II only) effectively for one or more control objectives included within a SOC 1 report or Trust Services Criteria included within a SOC 2 report.
In a SOC report, management asserts that certain controls are in place. If the auditor performs test procedures that contradict management’s assertion, they may issue a qualified report opinion. See our recent blog post on assertions.
Qualified opinions (also known as “dirty opinions” in audit jargon) are actually quite common. Many service organizations that have received a qualified opinion received it in the first year of the examination, but it’s also common for control failures to occur when controls have operated successfully in the past. One common reason for report qualification is due to employee turnover if a control performed by a former employee is no longer performed consistently by another employee.
A qualified opinion means that the user organization and the user auditor cannot place reliance on the controls supporting a particular area at the service organization. Note that a single qualification does not mean that reliance may not be placed on other areas of the report with no qualifications.
Example: A service organization fails to disable access for a former employee. The employee continues to access the service organization’s systems following termination as evidenced by logs. In this case, there would be a logical access qualification within the report which would be reflected by the CPA firm’s opinion in the report.
Service auditors and organizations alike should not back down from a situation where the report needs to be qualified. Management should recognize mistakes or other errors in processing and auditors should not be afraid to call out a problem. Both parties should place public interests first and foremost, and sometimes this means “calling a spade a spade.”
How Bad is a Qualified Report Opinion?
How bad is a qualified report? This question comes up almost every time a qualified report is issued to a service organization. The person asking this question is usually comparing a qualified service auditor’s report (e.g., SOC 1) to a going concern opinion on a financial statement audit. Both are bad. But how bad?
A going concern opinion often means the organization is in financial peril and may meet its demise very soon. However, a qualified opinion on a service auditor’s report is more akin to a material internal control weakness disclosure for SEC registrants who have to issue such disclosures for Sarbanes-Oxley Act purposes.
A qualified opinion in a service auditor’s report is similar to a significant deficiency or material weakness in internal control disclosure. All should be avoided by management. Though the going concern opinion is the worst of the opinions just described.
Qualified Report Opinion vs. Going Concern
What is a going concern? A going concern is the ongoing assumption that an organization or entity will continue to operate for a period of time sufficient to meet its obligations. A SOC report qualification is related to one or more areas covered in the scope of the report and does not relate to the ongoing operation of a service organization. It is possible for an organization with a going concern to have no issues in its SOC report, but still have an issue related to going concern. It is also possible that an organization has a qualified report, but no issues relating to going concern.
Four Types of Audit Opinions
Below are the four types of audit opinions and their definitions:
- Unmodified – This is a clean report opinion with no modifications.
- Qualified – Qualified opinions are expressed when auditors conclude that they cannot express unqualified opinions, and the effects of disagreements with the organization’s management or limitation of scope is not so pervasive and material as to require adverse opinions or disclaimers of opinions. The example above related to logical access would result in a report qualification and unless there were pervasive issues across other areas of the report, there would not be an adverse opinion.
- Disclaimer – A disclaimer opinion is provided when auditors can’t express an opinion. This typically occurs when an organization limits the auditors. For example, if the company does not provide the auditors with adequate information to give an opinion, the CPA firm may disclaim their opinion. Other instances when auditors may not be able to render an opinion include when books of accounts are not appropriately maintained and when the auditors are unable to perform procedures they believe are necessary.
- Adverse – An adverse opinion is the most severe opinion that a CPA firm can provide. Misleading or incomplete financial statements may lead auditors to give an adverse opinion. An adverse opinion in the context of a SOC report often means that the report users cannot place any reliance on the service organization’s system.
How to Evaluate a Modified Report Opinion Related to Your Service Organization
What if you request your service organization’s control report and it contains a qualified opinion? Should you be concerned? The answer is… it depends. The qualified area of the report must be considered in relation to the services being utilized by the user organization.
For example, if there is a qualification related to physical access which is an aspect of a service organization’s service that is not relevant to the user organization, then it is possible that the qualification in that area is not relevant to the report user. If an organization is considering outsourcing the physical security of its servers to another service organization and the service organization has a qualified physical access control objective, the service organization may consider using a different subservice organization.
To summarize, SOC report qualifications are fairly common. They relate to an area of the report that an auditor finds exceptions related to. If the exceptions are severe enough in a particular area the auditor may provide a qualified opinion related to the area with issues.
Qualified opinions should be considered in context to the services being received by a user organization. If the qualification potentially impacts the services provided to a user organization, the user organization must consider whether the issues are severe enough to warrant using a different service organization.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.