Understanding the Impact of Testing Exceptions in Type 2 SOC 1 and SOC 2 Reports
Is your organization planning for a SOC 1 or SOC 2 Type 2 report and you’re concerned about the impact of testing exceptions? You’re not alone. SOC reports are gaining in popularity across industries and across the globe. An increasing number of customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation is becoming necessary to compete for high priority contracts.
Let’s review the difference between a SOC 1 and SOC 2 report, learn why a Type 2 report is valuable, and understand the impact of testing exceptions in final reports.
What Is a SOC 1 Report?
A SOC 1 report follows the guidance outlined in the Engagements (SSAE), which focuses on the internal controls that have an impact on the financially relevant systems and reporting. The main goal of a SOC 1 report is to ensure the controls identified by the organization are in place and/or operating effectively to appropriately address the risk of inaccurately reporting financials.
What Is a SOC 2 Report?
Like a SOC 1 report, a SOC 2 also follows the guidance outlined in the SSAE. A SOC 2 report focuses on organizations whose services would have an indirect impact on the financial statements of the end user (their customers), whereas SOC 1 is specifically for organizations whose services would directly impact the financial statements of end users.
The security of your environment is based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC). The TSC, written by the American Institute of Certified Public Accountants (AICPA), consist of five categories:
- Common Criteria/Security (required)
- Availability (optional)
- Processing Integrity (optional)
- Confidentiality (optional)
- Privacy (optional)
What is a SOC Type 2 report?
For a SOC Type 2 report, your organization’s controls are assessed over a period of time, typically a twelve-month review period. A Type 2 report acts as a historical review of your environment to determine and demonstrate if the controls are suitably designed and in place, as well as operating effectively over time. The audit process will include sample testing within the review period to determine if your organization’s controls are operating effectively.
For example, we will take a sample of employees from the population of terminated personnel and confirm that their access was properly revoked and documented via the ticketing system during the agreed-upon review period.
A Type 2 report has the following characteristics:
- Description of your organization’s system as a whole
- Assesses the design of your organization’s controls, as well as their operating effectiveness
- Focuses on a period of time in which the controls are operating
- Features detailed descriptions of the auditor’s tests and test results of the controls
What are SOC Testing Exceptions?
Although you can’t “fail” your SOC report, it can result in report opinions to be noted as ‘modified’ or ‘qualified’.
If the evidence required by a SOC examination has been successfully submitted and accepted by the service organization, the service auditor would issue an ‘unqualified’ opinion. But, if the service auditor found exceptions amounting to the conclusion that a specific control objective (SOC 1) or criteria (SOC 2) was either not in place or was not operating effectively, the service auditor would issue a qualified opinion.
There are several reasons why a qualified opinion may occur, including:
- Management’s description of the system is not fairly presented in all material respects
- The controls are not suitably designed to provide reasonable assurance that the control objectives or criteria stated in the description of your organization’s system would be achieved if the controls operated as described
- The controls did not operate effectively throughout the specified period to achieve the related control objectives stated in the description of your system
- The service auditor is unable to obtain sufficient, appropriate evidence
Received a Modified or Qualified Opinion? Next Steps
You’ve been issued a modified or qualified opinion from your service auditor. Now what? It is important to immediately assess the risk of any exceptions noted in both a Type 2 SOC 1 and SOC 2 report. Once your security team has assessed any risks, you should identify compensating or risk mitigating controls.
If exceptions in tests of controls have been identified, your management team should disclose any known causative factors, the controls that mitigate the effect of the deviations, corrective actions taken, and other qualitative factors that would assist users in understanding the effect of the exceptions.
User entities should determine how any exceptions could impact the financial statements in question for a SOC 1, or in the case of a SOC 2, the user entity should assess the service organization’s ability to meet service level agreements.
Preparing for Your SOC Exam
If you’re undergoing a SOC 1 or SOC 2 audit for the first time, we highly recommend that you complete a Readiness Assessment which will identify high-risk control gaps, provide recommendations for improving controls, and allow you to remediate issues prior to the official SOC audit.
As a licensed SOC 1 and SOC 2 auditing firm with more than 20 years of experience, and as the top SOC 2 report issuer in the world, A-LIGN has the people, process, and platform you need to help your organization reach any of your compliance needs.