Understanding the Impact of Testing Exceptions in Type 2 SOC 1 and SOC 2 Reports
By: Ivan Reyes, Senior Consultant at A-LIGN
Standards for Attestation Engagements No. 16 (“SSAE 16”) is an attestation standard whereby a service organization’s auditor issues an opinion on a service organization’s internal controls over financial reporting (ICFR). This is delivered in the form of a Service Organization Controls 1 (“SOC 1”) report. The report represents that the service organization has been through a thorough examination of relevant control objectives and related control activities that include internal controls over financial reporting.
Service Organization Controls 2 (“SOC 2”) reports are based on the AICPA’s Trust Service Principles and Criteria for Security, Confidentiality, Availability, Processing, Integrity and Privacy.
A Type 2 SOC report will contain the auditor’s opinion, which opines if the service organization’s description of controls is presented fairly, the controls are designed effectively, and that the controls are operating effectively over a specified period of time.
If the above items have been achieved by the service organization, the service auditor would issue an unqualified opinion. If the above were achieved, but the service auditor found exceptions such that a control objective was either not in place or was not effective, the service auditor would issue a ‘qualified opinion’.
It is important to assess the risk of any exceptions noted in both a Type 2 SOC 1 and SOC 2. Once the risk has been assessed, the identification of any compensating or risk mitigating controls should proceed. If exceptions in tests of controls have been identified, management may disclose, to the extent known, the causative factors, the controls that mitigate the effect of the deviations, corrective actions taken, and other qualitative factors that would assist users in understanding the effect of the exceptions.
Testing exceptions should be linked to financial statement assertions for a Type 2 SOC 1 and gauged against Service Level Agreements and User Control Considerations for a Type 2 SOC 2. User Entities should determine how any exceptions could impact the financial statements in question for a SOC 1, or in a case of a SOC 2, the user entity should assess the service organization’s ability to meet Service Level Agreements.