How Bad is a Qualified Report? Understanding SOC Report Opinions

How bad is a qualified report? This question comes up almost every time a qualified auditor report is issued to a service organization. The person(s) asking this question is usually comparing a qualified service auditor’s report (SOC 1 or SOC 2) to a going concern opinion on a financial statement audit. Both are concerning but how do they differ? What is the difference between a qualified SOC report and an unqualified SOC report? What are the types of opinions a SOC report can receive? In this post, we will cover these questions in order for users to better understand SOC report opinions.

What Type of Audit Reports Have These Opinions?

The types of audit reports and the associated opinions we will be discussing in this post are SOC 1 (formerly SSAE 16) and SOC 2 Reports.

  • A SOC 1 report (f. SSAE 16) is an opinion issued on the service organization’s internal controls over financial reporting.
  • A SOC 2 report is based on the AICPA’s Trust Services Principles.
  • A Type I SOC report is issued stating that a service organization’s controls are designed effectively at a point in time.
  • A Type II SOC report is issued stating that a service organization’s controls are designed AND operating effectively for a specified period of time.

For further information regarding SOC Report Types refer to our article, SOC Report Types: Type I vs Type II.

What are the Four Types of Audit Opinions?

The four types of opinions SOC reports can be issued with are; unqualified, qualified, disclaimer, and adverse opinions.

A disclaimer opinion typically means that the service auditor was unable to issue an opinion as they were limited by the service organization in the information they requested or procedures performed.

An adverse opinion is the worst opinion that can be issued. An adverse opinion indicates that the users of the SOC report can not place any reliance on the service organization’s system.

In both cases, the user may want to communicate with their service provider to better understand the circumstances that drove the service auditor to issue these opinions and possibly switch service providers. Continue reading for information on what an unqualified report opinion and a qualified report opinion means.

What is an Unqualified Report?

What does it mean when your SOC report has an unqualified opinion?

An unqualified opinion indicates that the controls tested as part of the report appear to be designed (Type I or II) and operating (Type II) effectively. An unqualified opinion doesn’t mean there were no issues/exceptions identified by the service auditor.

An unqualified report can have issues identified by the service auditor in the testing they performed. If issues were identified but the report was unqualified, then the service organization and their auditors were able to mitigate and/or remediate the risks presented by the issues and the control was deemed effective despite these issues.

By issuing an unqualified report with issues, the service auditor did not believe that the issues identified resulted in a material weakness in the control environment. The user of the report will still want to understand the issues identified, but with an unqualified report opinion, the service auditor’s opinion is that the user of the report can place reliance on the service organization’s system.

What is Meant by a Qualified Audit Report Opinion?

If a SOC report is issued with a qualified opinion, it indicates that a control or controls were not designed (Type I or II) and/or operating effectively (Type II).

A qualified report indicates that issues identified in the report were significant enough to deem one or more controls ineffective. Qualified report opinions are actually quite common and they are not considered as severe as an adverse or disclaimer opinion.
What does it mean for the user obtaining a qualified SOC report from their service provider? A qualified SOC report does not mean that you can not rely on the report at all. The control objectives in the report that are designed and/or operating effectively can still be relied upon in most cases. It is the control(s) with deficiencies that will need further work on the part of the user.
For financial statement purposes, a client’s external auditor may be able to perform additional testing on secondary controls at the user level to mitigate the risk presented by the ineffective control(s) in the SOC report. It will depend on the user of the report to examine the services rendered by the organization and the controls they have in place at their organization to determine how much, if any, reliance will be placed on a qualified report.
For further information regarding qualified audit opinions and how they affect organizations, refer to our article, SOC Qualified Opinions & What they Mean for Your Organization

How is a Going Concern Opinion Different From a Qualified Report?

A going concern opinion often means the organization is in financial peril and may meet its demise very soon.
However, a qualified opinion on a service auditor’s report is more akin to a material internal control weakness disclosure for SEC registrants who have to issue such disclosures for Sarbanes-Oxley Act purposes. A qualified opinion in a service auditor’s report could be described as similar to a significant deficiency or material weakness in internal control disclosure.
All should be avoided by management. Though the going concern opinion is the worst of the opinions just described.

Summary There are four different opinions that can be issued with a SOC report; unqualified, qualified, disclaimer and adverse. Though a qualified report opinion is not ideal, many service organizations issue a qualified report at some point in time, especially in their first year of issuing a SOC report.
A qualified report is not the worst case scenario when issuing a SOC report, but a service organization should strive to obtain an unqualified opinion. An unqualified report does not indicate that no issues were identified, but rather that the service organization’s controls are designed (Type I or II) and operating (Type II) effectively.
Regardless of the opinion issued with the report, it is up to the user of the report to determine how the results of the report affect the services being provided to them