Can You “Fail” a SOC 2 Examination?

Originally published by A-LIGN here.

Written by Alex Welsh, Manager, ISO Practice, A-LIGN.

Although you can’t “fail” your SOC 2 report, it can result in report opinions to be noted as “modified” or “qualified”. Learn what this means for your organization.

Is your organization planning for a SOC 2 report? You’re not alone. SOC 2 is gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC 2 compliance, and independent cybersecurity control validation and attestation is becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC 2 ensures that controls are properly implemented and used within your organization, greatly reducing potential security threats.

During the SOC 2 examination process, it’s the auditor’s job to provide an opinion on your organization. It’s during this process that the auditor decides if they agree that the controls pass regulations set forth, or if the controls need “modifications” or “qualifications” to paint a more realistic picture of your organization’s security posture. While you theoretically cannot “fail” a SOC 2 examination, there are SOC 2 reports that have control design or operating deficiencies, resulting in the audit report opinion to be “modified” or “qualified”. There are several reasons why this may occur, including:

• Management’s description of the system is not fairly presented in all material respects
• The controls are not suitably designed to provide reasonable assurance that the control objectives stated in the description of your organization’s system would be achieved if the controls operated as described
• In the case of a SOC 2 Type 2 report, the controls did not operate effectively throughout the specified period to achieve the related control objectives stated in the description of your system
• The service auditor is unable to obtain sufficient, appropriate evidence

Let’s take a closer look at opinion “modification” and “qualification” to learn how auditors may arrive at this conclusion and the strong evidence they would need to provide to support their claim.

What is Opinion Modification?

When determining whether to issue a “modified” or “qualified” opinion on the SOC 2 report, auditors consider the individual and aggregate effect of the identified deficiencies and deviations in your description of the system. They also must consider the suitability of the design and operating effectiveness of the controls throughout the specified period. Your auditor considers factors, such as the following:

• The likelihood that the deficiencies or deviations will result in errors or misstatements in the user’s data
• The magnitude of the errors or misstatements that could occur in the user’s financial statements as a result of the deficiencies or deviations
• The tolerable rate of deviations that the auditor has established
• The pervasiveness of the deficiencies or deviations
• Whether users could be misled if the service auditor’s opinion or individual components of the opinion were not modified

What Are the Three Types of Opinion Modifications?

Audit opinions are crucial to an organization because they speak to the integrity of the executive management team, directly affecting investors and stakeholders alike. Let’s take a look at the three types of audit opinion modifications to learn how your auditor may arrive at this conclusion.

#1. Qualified

“Qualified” opinion modifications occur when there are deficiencies or deviations in your description of the service organization’s system or the design of the controls. This type of opinion modification can also apply to the operating effectiveness of the controls being limited to one or more aspects of the description of your system, or the deviation not impacting all areas of the control objectives across the system.

#2. Adverse

Your auditor considers the need to issue an “adverse” opinion when the deficiencies or deviations in the description of your system, the suitability of the design of the controls, or the operating effectiveness of the controls are pervasive throughout the description or across all or most of the control objectives.

When the auditor has determined that an “adverse” opinion is appropriate, in addition to adding an explanatory paragraph to the report, the service auditor should modify the opinion paragraph of your report. The following is an example of such a paragraph:

In our opinion, because of the matter referred to in the preceding paragraph, in all material respects and based on criteria described in [name of service organization’s] assertion on page [xx], the description does not fairly present the [type or name of the system] that was designed and implemented throughout the period. The controls related to the control objectives stated in the description were not suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period [date] to [date]. The controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, did not operate effectively throughout the period from [date] to [date].

#3. Disclaimer

A “disclaimer” modification is noted if the auditor is unable to obtain sufficient, appropriate information. This could be because you refuse to provide a written assertion (after initially agreeing to do so) and law or regulation does not allow the auditor to withdraw from the engagement. The disclaimer opinion modification may also occur if you refuse to provide a representation reaffirming its written assertion, allowing the auditor to withdraw from the engagement.

Paragraph .57 of AT section 801 states that if the auditor disclaims an opinion, their report should not identify the procedures that were performed nor include statements describing the characteristics of an auditor’s engagement, because to do so might overshadow the disclaimer. When disclaiming an opinion, in addition to adding an explanatory paragraph to the auditor’s report, they should also modify the opinion paragraph of the report by adding a sentence such as the following at the end of the opinion paragraph: “Because of the matter described in the preceding paragraph, the scope of our work was not sufficient to enable us to express, and we do not express, an opinion.”

Examples of Findings Leading to Qualified Opinion

Case 1. Modified SOC Report

A modified SOC report can be issued if software developers have the ability to introduce changes into the production environment, and this change could not be detected by detective controls in a timely manner by appropriate members of your organization.

Case 2. Qualified SOC Report

In another instance, a qualified SOC report can occur if you cannot demonstrate that adequate controls are in place to support a control objective described in the system description. This is most easily determined by exceptions noted in the test of controls performed.

If exceptions are noted upon testing a control activity, additional samples are selected to determine if a control is operating effectively. If it is determined that a key control needed to support a control objective is not operating effectively, the opinion within the auditor’s report must be modified to disclose that this control activity is not operating effectively.

Popular Reasons for Opinion Modification or Qualification

There are many reasons why your auditor may feel an opinion “modification” or “qualification” is necessary. In this situation, the auditor will describe the reasons for the modification of the opinion within the “basis for opinion” section of the report, providing you with information that is useful in understanding their findings. Let’s take a look at some of the most popular reasons opinion modification or qualification occurs.

Excessive logical or physical access

In the event that your organization has excessive logical access, for example, your organization has provided too many users with privileged access. For physical access, an example of this would be too many users having access to areas that should have limited access, such as server rooms.

Lack of supporting documentation

Your organization lacks supporting documentation and is unable to demonstrate the evidence that a control is executed.

Failure to properly scope

An example of an organization that fails to scope relevant aspects of its services within the system description would be a payroll company that fails to describe its payroll input, processing, or reporting processes.

Failure to analyze risk

Your organization does not address the inherent risks associated with the service it provides.

Failure to address issues

Your organization fails to address issues or incidents that occur.

Lack of consistency control execution

Your organization lacks consistent execution of controls in different management groups.

Failure to meet all aspects of an objective

Your organization would fail to meet all aspects of an objective or criteria if you were to perform backups but lack the controls to ensure the security of the backups, or if you did not periodically test that the backups actually work.

Prepare for a Successful SOC 2 Examination

Your SOC 2 report opinions being classified as “modified” or “qualified” may result in a negative perception of your executive team and stakeholders. To avoid this outcome, it’s imperative that you properly plan for your SOC 2 examination to ensure success and an in-depth report ready to share with your current and potential customers.

About the Author

Alex Welsh, CPA, CISA, CITP is a Manager at A-LIGN focused on ISO 27001, HIPAA, and SOC cybersecurity audits and is based out of Boca Raton, Florida. Within A-LIGN she is active outside of her role and has completed Leadership Academy, serves as Vice Chair of the Women’s Network, and committee member of the DE&I Network. Outside of A-LIGN, she is serving as Young CPA Chair of the FICPA and Meeting Committee Chair of the JLBR. Her additional involvement with the FICPA includes successfully completing their Emerging Leader program, involved as a Region Leader for the Emerging Leader Program, and committee member of Women in Leadership. Alex is passionate about giving back and does so with the Salvation Army, Junior Achievement, and Junior League of Boca Raton. She graduated from Florida State University with a Bachelor of Science in Accounting and Finance.