Anyone who’s gone to the trouble of getting a SOC 2 audit can advertise that fact on their website. What they can’t say is whether or not they passed or failed.
That’s because the report isn’t actually a public document. That said, it can be shared with existing customers. You can also get a prospective customer to sign a non-disclosure agreement before showing them your SOC 2 report. Once they have it, you can guarantee they’ll do some serious digging—especially if they’re in a highly regulated industry, like financial services.
Which begs the question: What makes a good SOC 2 report?
That’s exactly what we’re going to cover today, so read on to learn more.
Getting the Right SOC 2 Report Opinion
When a prospect or customer receives your SOC 2 report, chances are they’ll turn to section two first, AKA the independent service auditor’s report.
There, they’ll find your auditor’s opinion on whether you were SOC 2 compliant for the audit’s observation period. In other words, whether you passed or failed. This section is, for lack of a better way of putting it, the Coles Notes version of your report.
It’s important to note that auditors can only form an opinion on what they’ve actually observed. For instance, you might have a control that requires you to log, track and communicate security incidents to affected parties. But if there weren’t any incidents during your audit, then there’s no way to test that control.
But don’t worry. You won’t be penalized. Your auditor will simply note that they couldn’t test the control and explain why. They’ll also confirm that you didn’t experience any incidents by talking to someone on your engineering team. Finally, they’ll take a look at your incident response plan to make sure you have the correct documentation in place.
The reason I mention all of this is to highlight how auditors approach a SOC 2 examination. They are diligent and speak to that which is verifiably true. No more, no less.
Now that that’s out of the way, let’s take a look at the different opinions your auditor might provide in your report and what they mean.
PS: Feeling iffy about SOC 2? Download The Ultimate Survival Guide to SOC 2 Compliance and get the guidance you need to ace your next audit, with tips and tricks from ex-auditors.
The Unqualified Opinion
Getting an unqualified opinion means that you passed your audit. More specifically, it means that the controls your auditor tested were designed and operating exactly as they should be.
Here’s where things can get tricky, though.
You can have controls that fail and still get an unqualified opinion. We call this an unqualified report with issues.
You’re probably wondering how this can happen.
You need to have mitigating controls in place. These are controls you’ve implemented that do the job of those that have failed. All of this exceedingly fun stuff is noted in section four of your report, which breaks down how controls tested.
An unqualified report with issues sounds worse than it is. To be clear, it’s still a pass. That said, whoever’s reading your report will pay close attention to what failed and they’ll likely want to know how it’ll impact them. They’ll also want assurances that you’re taking steps to solve the issue.
The Qualified Opinion
Getting a qualified opinion means that you failed your audit. Basically, the controls your auditor tested weren’t designed and/or operating as required.
In black and white terms, yes—a qualified report constitutes a failing grade. That said, the control or controls that were deemed ineffective might not impact specific customers or prospects. In cases like these, your report can still be relied upon.
Of course, you’ll want to do better next time you’re audited.
The Disclaimer Opinion
If you get a disclaimer opinion, it simply means you didn’t provide your auditor with enough information. In this situation, they weren’t able to form an opinion on whether or not you were SOC 2 compliant.
The Adverse Opinion
An adverse opinion is a big no-no. It means customers and prospects can’t place any trust in your systems. I actually considered omitting this from the list, given how rare it is.
The truth is, most auditors will work with you to get the best possible outcome for your business. I can guarantee you that they don’t want to hand out disclaimer or adverse opinions. But you need to work with them, too. That means designing and operationalizing the right controls and providing your auditor with the documentation they need, when they need it.
Obviously, you want a SOC 2 report with an unqualified opinion. If, for whatever reason, you end up with a qualified report, make sure you’re prepared to answer any questions your existing customers might have.
They’ll want to understand exactly how it’ll impact them. Also, reassure them that you’ll be resolving any outstanding issues and passing your SOC 2 audit the next time around.
Sometimes, the difference between passing and failing a SOC 2 audit depends entirely on who you’ve got in your corner. If you’re ever worried about preparing for or maintaining SOC 2, don’t hesitate to get in touch with us. We’re always here to help.
Alternatively, if you’re looking for an easier way to get through SOC 2 in one piece or get the best possible SOC 2 report opinion, grab a free trial of our product. We’ll set you up with the right policies, show you which controls you need to implement, help you gather evidence, and snag that unqualified report.