In this blog, we will be discussing the concept of reasonable assurance, what reasonable assurance means, absolute assurance, and how they both relate to SOC report opinions. Understanding the meaning of reasonable assurance is useful to both management of the service organization and also the users of the SOC report. In relation to SOC reports, auditors are able to provide reasonable assurance that service commitments and system requirements were achieved, but not absolute assurance, which we will dive further into below.
What is a SOC Report?
First, let’s clarify what a SOC report is before diving into the details of reasonable assurance in relation to SOC report opinions. SOC stands for System and Organization Controls (SOC) report and there are several different types of SOC reports available. A SOC report is obtained by a service organization, or other organization, in order to demonstrate the system and/or entity-level controls in place related to the services they provide. A SOC 1 report focuses on the controls in place that impact the user entity’s financial statement reporting. Whereas a SOC 2 focuses on IT general controls that impact the following:
- Security
- Availability
- Confidentiality
- Processing integrity
- Privacy of the systems and/or client data
These are also known as the five Trust Services Criteria or TSCs. For further information, check out this blog on the differences between SOC 1 and SOC 2 reports.
SOC Report Opinions
When reviewing a SOC report provided by a service organization, you will note that every SOC report contains an opinion issued by the service auditor. There are four types of audit opinions that can accompany the SOC report based on the results of the service auditor’s procedures; unmodified, qualified, disclaimer, and adverse. An unqualified opinion indicates a clean opinion. This does not mean that no exceptions were identified, but if any exceptions were identified, they were not extensive enough to impact the design (Type I) and operating effectiveness (Type II) of the controls. For the purpose of this blog, we will focus on reasonable assurance as it relates to an unqualified opinion. For further information, see this blog on the types of audit opinions.
What is Reasonable Assurance?
Many people are more familiar with the concept of reasonable assurance as it relates to financial statement audits, but the concept is similar with SOC reports. Paragraph 17 of PCAOB Auditing Standard No. 2, describes reasonable assurance as follows:
“Management’s assessment of the effectiveness of internal control over financial reporting is expressed at the level of reasonable assurance… Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. Although not absolute assurance, reasonable assurance is, nevertheless, a high level of assurance. The procedures performed as part of the audit and the results of those procedures allow the auditor to express an opinion regarding whether the financial statements are free of material misstatement.”
The concept of reasonable assurance is the same for SOC reports. The difference is that the service auditor’s opinion focuses on whether the controls in place at the service organization were designed and operating effectively in order to provide reasonable assurance that control objectives were achieved (SOC 1) or service commitments and system requirements were achieved based on the applicable TSCs (SOC 2). This is done rather than focusing purely on the financial statements. The concept of materiality is used by the auditor when performing the audit procedures and evaluating the results and the potential impact of audit exceptions and/or control deficiencies. The term reasonable assurance is used as the auditor is not capable of performing an audit of 100% of the service organization, the information available, and the controls in place.
What is the Difference Between Reasonable Assurance and Absolute Assurance?
Reasonable assurance is a high level of assurance, similar to absolute assurance but with reasonable assurance, there is still a remote likelihood that material misstatements exist. Whereas with absolute assurance, there is no likelihood of material misstatement. The difference between the two is stated in the name. Reasonable, as defined in the dictionary, means being in accordance with reason, moderate, and fair. On the other hand, absolute is defined as free from imperfection, perfect.
When issuing SOC reports, auditors do not issue absolute opinions. An absolute opinion would mean that there was no likelihood of material misstatement, which considering the procedures performed by an auditor, is difficult to obtain. Auditors would take on a considerable amount of liability in stating they had absolute assurance if they did not look at 100% of the information needed to reach their opinion.
Why do Auditors Give Reasonable Assurance?
Auditors use sampling, inquiry, inspection, observation, and various other testing methods in order to form their opinion. In some instances, auditors may do 100% testing of a population, but this typically is not done across all areas of the audit, only specific areas where sufficient data is available to perform automated testing. Since auditors do not look at 100% of all the information for the audit period, as this would be extremely difficult, only reasonable assurance is provided, rather than absolute assurance.
For absolute assurance, auditors would have to look at every transaction, control instance, etc., that occurred during the audit period. Even then auditors rely on the client to provide applicable information and are not present throughout the audit period to observe and test all the controls as they are operating. For this reason, many auditors would be extremely uncomfortable stating they had absolute assurance that there were no material misstatements that occurred during the period. Reasonable assurance is still a high level of assurance and auditors do their due diligence and perform sufficient testing to form their opinion.
Summary
SOC reports are used by service organizations to build trust with their clients and provide information regarding their internal control environment and specifically the controls in place regarding the services they provide. Whether it be a SOC 1 or SOC 2 report, there are four possible opinions the service auditor can include in the report. Service auditors provide reasonable assurance when presenting their opinion in a SOC report as the likelihood of a material misstatement is still present, though the risk is low. Absolute assurance is not given by a service auditor when issuing a SOC report as they do not have 100% of the information needed to arrive at absolute assurance.
For further information on the process we undergo to assist our clients with completing a SOC audit, please contact us.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.