TL;DR: Open the SOC report, Ctrl-F, and search for “Opinion,” and if the audit opinion states, “In our opinion, in all material respects…” the report gets a gold star. See? That was even less than 5 minutes!
After performing SOC audits day in and day out and issuing hundreds of SOC reports to clients, it recently occurred to me that I may take for granted that everyone knows how to determine if the SOC report was a “pass” or a “fail.”
Now, I’m not saying you shouldn’t read the entire SOC report, because you should; there’s a lot of essential and detailed information in those reports. But let’s be honest—that 100-page report could take some serious time to consume. So as an alternative to reading every page, there is an easy and quick way to summarize the results of a SOC report (this will apply the same for both a SOC 1 and SOC 2 report). And there are a few flavors of “pass” and a few flavors of “fail,” so let’s clear those up first, then I’ll tell you exactly where to go find them in the report.
“Pass” and “Fail” Opinions
The best outcome for the SOC report is when the audit firm states an “unqualified opinion.” This simply means the auditors have determined that the organization under examination can achieve its service commitments and system requirements, as described in the report. This is also known as a “clean opinion,” and it is what everyone wants to see. The unqualified opinion will use the following language: “In our opinion, in all material respects….”
The second level of pass is in the form of a “qualified opinion.” This isn’t a bad thing, but it’s not a clean opinion either. A qualified opinion means the audit firm has determined that some controls at the organization aren’t designed well and/or aren’t operating as they should be. These can be minor and correctable (and explainable) issues that organization management acknowledges and has a reasonable plan to correct. Hey, no one’s perfect, so a slip in control can happen from time to time. If you see a qualified opinion, you’ll want to dig deeper into the report to evaluate what “exceptions” were found by the auditor and what management’s plan is to remediate. The qualified opinion will use the following language: “In our opinion, except for the matter referred to in the preceding paragraph….”
The third type of opinion would move over into the fail column. This is when the audit firm issues an “adverse opinion” in the report. This typically means the system description was not presented accordingly, and/or the controls were not appropriately designed and/or did not operate effectively—all meaning that the organization would have trouble meeting its service commitments and system requirements. This opinion should give you pause if you’re relying on that organization to provide any service to your own business. The adverse opinion will use the following language: “In our opinion, because of the matter referred to in the preceding paragraph….”
The fourth and final opinion, and the mother of all fails, is the dreaded “disclaimer of opinion.” This is the unicorn of SOC reports—it’s so rare that I’ve never actually seen one (and our firm has never issued one). But you can probably guess why these are never seen—what organization would ever distribute this version of their SOC report? A “disclaimer of opinion” means the audit firm has concluded that they could not validate if any of the controls were operating during the reporting period and were unable to complete the audit. Yikes!
Where to Find the Auditor’s Opinion
So, where can we find the auditor’s opinion in the report? There are typically four sections of the report, and you will want to locate the section titled “Independent Service Auditor’s Report.” This is usually either section I or section II of the report.
Once you find the auditor’s report section, scroll down to the “Opinion” section. Here’s where you’re going to find out if the report is a pass or fail. Again, if the opinion is unqualified, you can put the report down with confidence and enjoy that second cup of coffee. If it’s any of the other opinions we discussed above, you’ll probably want to dig a little deeper into the details to learn what the findings mean.
I’m a visual person, so keep this in mind when reviewing the auditor opinions: