There are four types of opinions for SOC reports:
- Unqualified – Audited controls were designed and operating effectively. There may be exceptions noted, but overall, the trust services criteria have been met.
- Qualified – There is either a material description misstatement or material deficiency in the design or operation of controls that is not pervasive.
- Disclaimer – Not enough information was provided for the auditor to be able to express an opinion about whether controls were designed and operating effectively.
- Adverse – There is either a material description misstatement or material deficiency in the design or operation of controls that is pervasive.
The majority of SOC 2 reports M&A issues are unqualified opinions. Disclaimers and adverse opinions are very rare. If the auditor and the client are both doing their jobs correctly, the environment at the client organization should not reach the point where a disclaimer or adverse opinion becomes necessary. Qualified reports do occur from time to time.
Materiality of the deficiency, and whether an opinion is qualified, adverse, or a disclaimer, is determined via the service auditor’s judgement. Per the AICPA SOC 2 Guide the service auditor evaluates the results of all procedures performed and conducts both a quantitative and qualitative analysis of whether identified description misstatements and deficiencies in the suitability of design and deviations in the operating effectiveness of controls result in a description that is not presented in accordance with the description criteria or in controls that are not suitability designed or operating effectively.
As noted above, when a SOC 2 report is issued with a qualified opinion, a trust services criteria may not have been met because the related controls were not designed and/or operating effectively or a material description misstatement occurred. The control deficiencies and/or description misstatement needs to be material and not pervasive for it to be a qualified opinion. A qualified opinion does not mean that “ALL” controls that cover the trust services criteria listed in the qualified SOC 2 report are not designed and operating effectively. The user of the report would have to read the opinion in the SOC 2 report to understand the implications of the qualified opinion and how that relates to their organization.
Depending on the system or service your company provides, certain trust services criteria will be more important to your customers. If you store data for your customers, then having a qualified opinion related to data backups and restoration controls would probably be critical to your customers. But perhaps controls around performing an annual vendor risk assessment would not be. So, the answer to whether qualified opinions on some trust services criteria are more important than other is, it depends.
In conclusion, qualified reports are not common, but do occur. Obviously, the best scenario is to avoid a qualified report, but that is not always possible. If your company is interested in obtaining a SOC 2 report of for answers to your questions on SOC reporting, please contact us. For more information on these services and more, be sure to visit our SOC services pages.