TL;DR: Open the SOC report, click Ctrl+F, and search for “Opinion.” If the audit opinion states, “In our opinion, in all material respects …” the report gets a gold star. See? That was even less than five minutes!
After performing SOC audits day-in and day-out and issuing hundreds of SOC reports to clients, it recently occurred to me that I may take for granted that everyone knows how to determine if a SOC report was a “pass” or a “fail.”
I’m not saying you shouldn’t read the entire SOC report, because you should; there’s a lot of essential and detailed information in those reports, but let’s be honest—reading that 100-page report could take some serious time. So, as an alternative to reading every page, there is an easy and quick way to summarize the results of a SOC 1 or SOC 2 report, and there are a few variations of “pass” and “fail.” Let’s clear those up first, then I’ll tell you exactly where to find them in the report.
“Pass” and “Fail” Opinions
Unqualified Opinion
The best outcome for the SOC report is when the audit firm states an “unqualified opinion.” This simply means the auditors have determined that the organization under examination can achieve its service commitments and system requirements as described in the report. This is also known as a “clean opinion,” which everyone wants to see. The unqualified opinion will use the following language: “In our opinion, in all material respects …”
Qualified Opinion
The second level of pass is in the form of a “qualified opinion.” This isn’t a bad thing, but it’s not a clean opinion either. A qualified opinion means the audit firm has determined that some controls at the organization aren’t designed well or aren’t operating as they should be. These can be minor and correctable (and explainable) issues that organization management acknowledges and has a reasonable plan to correct.
No one’s perfect, and a slip in control can happen from time to time. If you see a qualified opinion, you’ll want to dig deeper into the report to evaluate what “exceptions” were found by the auditor and management’s remediation plan. The qualified opinion will use the following language: “In our opinion, except for the matter referred to in the preceding paragraph …”
Adverse Opinion
The third type of opinion would move into the failure column. This is when the audit firm issues an “adverse opinion” in the report. This typically means the system description was not presented accordingly, the controls were not appropriately designed, or they did not operate effectively—all meaning that the organization would have trouble meeting its service commitments and system requirements.
This opinion should give you pause if you’re relying on that organization to provide any service to your business. The adverse opinion will use the following language: “In our opinion, because of the matter referred to in the preceding paragraph …”
Disclaimer Opinion
The fourth and final opinion, is the dreaded “disclaimer of opinion.” This is the unicorn of SOC reports—it’s so rare that I’ve never seen one (and our firm has never issued one). But you can probably guess why these are never seen—what organization would ever distribute this version of their SOC report? A “disclaimer of opinion” means the audit firm has concluded that they could not validate if any of the controls were operating during the reporting period and were unable to complete the audit.
Where to Find the Auditor’s Opinion
Where can we find the auditor’s opinion in the report? There are typically four sections of the report and you will want to locate the section titled “Independent Service Auditor’s Report.” This is usually either Section I or Section II of the report.
Once you find the auditor’s report section, scroll down to the “Opinion” section. Here’s where you’ll find out if the report is a pass or fail. Again, if the opinion is unqualified, you can put the report down with confidence and enjoy that second cup of coffee. If it’s any of the other opinions we discussed above, you’ll probably want to dig deeper into the details to learn what the findings mean.
I’m a visual person, so keep this in mind when reviewing the auditor opinions:
Unqualified Opinion =
Qualified Opinion =
Adverse Opinion =
Disclaimer Opinion =
For more information or help preparing for your SOC audit, please get in touch with our team.