What you need to know about the auditor opinion in SOC 2 reports

SOC COMPLIANCE

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

SOC 2 Reports – Part 2

What does the Auditor Opine On?

A SOC report contains the results of an “examination” engagement performed by your service auditor. An examination is similar to an audit in that your auditor must be independent and issues a report that features an opinion. The Independent Service Auditor’s Report is presented within Section I of the SOC 2 report.

The opinion itself, though just a small section of the SOC 2 report, represents the culmination of all the auditors work. SOC report readers generally skip to the opinion to read the auditor’s high-level conclusions of the SOC examination.

Here is an example opinion paragraph for a notional company called Database Land, which provides a database-as-a-service to their customers.

Note: For the purposes of this article, we are going to assume the service auditor issued an unmodified opinion, sometimes referred to as a clean opinion. See our article on the types of SOC opinions for more information on that topic.

SOC 2 Report Opinion Example

In our opinion, in all material respects,

1. The description presents Database Land’s database hosting system that was designed and implemented through the period December 1, 20X6 to November 30, 20X7, in accordance with the description criteria.
2. The controls stated in the description were suitably designed throughout the period December 1, 20X6 to November 30, 20X7, to provide reasonable assurance that Database Land’s service commitments and system requirements would be achieved based on the applicable trust services criteria, if its controls operated effectively throughout that period.
3. The controls stated in the description operated effectively throughout the period December 1, 20X6 to November 30, 20X7, to provide reasonable assurance that Database Land’s service commitments and system requirements were achieved based on the applicable trust services criteria.

Paragraph a)

Section III of the SOC 2 report contains the organization’s description of the system. It has a few different subparts, but the vast majority of Section III is a narrative description of the service organization’s controls as they relate to the AICPA’s Trust Services Criteria, usually about 10 pages in length. The auditor’s opinion in Paragraph a) of the service auditor’s opinion simply states that the description as presented is a fair presentation of reality.

Paragraph b)

Paragraph b) is the auditor’s overall conclusion on the suitability of the design of controls.

A major element of the auditor’s work is assessing the design of the controls that are disclosed in the description. This work is generally performed through walkthrough meetings with service organization staff where the staff explain to the auditors how the control operates as they “walkthrough” a sample transaction. A control is designed effectively if, when executed, achieves management’s desired objective for the control.

Take for example a control that requires the periodic review of user access to a system. As part of the control process, a staff generates a user report from a system for review. The query underlying the report, however, was programmed incorrectly and inappropriately excludes vendors with access. In this case, the control would not be suitably designed, because, even if executed, it would not achieve the objective of the control.

This paragraph of the service auditor’s report, therefore, is dedicated to the auditor’s conclusions regarding the design of controls.

Paragraph c)

For SOC 2, Type II examinations, the service auditor not only has to assess the design of the controls, but also the operating effectiveness of the controls. For SOC 2, Type I examinations, the service auditor’s opinion only addresses the fair presentation of the description and the design effectiveness of controls, paragraphs a) and b).

Paragraph c) presents the auditor’s opinion as to whether or not the controls operated effectively throughout the year. To test operation effectiveness, auditors will select a sample of control events throughout the year and verify that evidence exists to support that the control was properly performed.

For example, to test the operating effectiveness for a control that requires all new user accounts to be approved prior to being granted, the service auditor would obtain a population of new users that were granted access during the audit period, select a sample from that population, and request evidence for each sample that the user’s account was approved prior to being turned on in the system. With sufficient evidence that controls were properly executed throughout the period, the service auditor can opine that controls were operating effectively.

Conclusion

The service auditor’s opinion is presented within the Service Auditor’s Report, which is Section I within a SOC 2 report. The opinion presents the overall conclusions of the service auditor, and it represents the culmination of all the auditor’s work.

The auditor’s opinion covers three areas:

• The fairness of presentation of the description of the system (Section III).
• The design effectiveness of the controls presented in the description of the system.
• The operating effectiveness of the controls presented in the description of the system (SOC 2 Type II only).

Are you considering a SOC report and trying to figure out the right report for you? Keiter’s team of Risk Advisory Services professionals can help you. Email | Call: 804.747.0000

What is in a SOC 2 Report?

Additional SOC Resources:

• What are the SOC 2 Trust Services Criteria?
• SOC 2 Documents – What you need to provide your auditor
• The Hidden Costs of a SOC 2 and How to Avoid Them
• SOC 2 Challenges – Audit Evidence
• SOC 2 Challenges – Population Completeness