Interview With a SOC 2 Auditor: Why Would an Auditor Qualify Their Opinion on a SOC 2 Report
Preparing for your first SOC 2 audit and worried that you won’t pass? Wondering what exact things stop companies from getting approved?
To help you figure out just that, we interviewed K.C. Fike, Data Analytics Practice Lead at The Cadence Group, with more than a decade of experience in overhauling IT processes and data handling within businesses.
This interview covers what a SOC 2 report is and how it’s different from SOC 1, the top reasons auditors won’t give you the report, and how you can avoid those issues.
He also breaks down how to interpret the SOC 2 report results when you get them (as they don’t just write passed or not passed).
What is the difference between a Type 1 and Type 2 SOC 2 report?
SOC 2 Type 1: The initial controls design
A Type 1 report is an evaluation of the design of your controls at a point in time. We’ll walk through the controls, make sure it makes sense for the environment, and look at an example of the control to make sure it’s designed effectively. For example, if the focus is on secure data handling, making sure password settings like character count are actually implemented, two-factor authentication is used throughout the company, and more.
Who has access to what data is also important, so setting up a hierarchy using user access controls is another example of a data security control.
SOC 2 Type 2 - ongoing operation of the controls
A Type 2 report examines the design of controls to see if they’re operated effectively over 6 or 12 months. So it’s essentially a test of the controls you set for the Type 1 report.
That’s when we come in and ask a company to show us the actual process in action. That includes any new employees over the last 12 months, and we’ll do a test to see if they were onboarded properly. We might ask to see password settings, two-factor authentication, and other security measures, access logs, uptime reports, and more.
There are some nuances in the type of report. For example, in Type 1, we only focus on listing out the controls. But in Type 2, we’ll also show a table of tests we ran to make sure these controls were effective/ineffective and test procedures.
To learn more, you can read our full in-depth guide to SOC 2.
How do you interpret the results of the SOC 2 report
In a SOC 2 report, the results fall into one of four categories.
- Unqualified opinion: No material inaccuracies or flaws in systems. This is your goal.
- Qualified opinion: There are material misstatements in system control descriptions, but they’re limited to specific areas.
- Adverse opinion: There is enough evidence to prove material inaccuracies in your controls’ description and weaknesses in design and operational effectiveness.
- Disclaimer of opinion: There’s no way to obtain enough evidence to establish an educated opinion.
It may sound counterintuitive, but the best outcome for the report and what you want for your business is an “unqualified opinion.”
In this context, it doesn’t indicate a lack of information but that your implementation of the controls and security measures work exactly as described in the initial SOC 2 Type 1 report.
Adverse opinions are pretty rare, as they basically conclude that there are major issues with the entire design of your security measures. If you receive one, you should start again from the ground up, preferably with an experienced consultant.
If you want SOC 2 compliance for your service organization, a robust internal control protocol is crucial.
What are the top reasons an auditor wouldn't give an unqualified SOC 2 report?
If you pay for a report, you’re always going to get one, but the opinions will decide whether or not you can claim to be SOC 2 compliant. Just getting a report doesn’t automatically mean your data processing integrity is approved.
You need a SOC 2 report with an unqualified opinion for that.
What causes me to deliver a qualified opinion, indicating issues with the process in certain areas, is a failure of the controls. One common example is the failure of new staff to follow the original protocols laid out in the controls design.
A rapidly growing service organization or a company that underwent an acquisition or merger is typically at a much higher risk of this issue.
Here are some examples of what negatively affects the auditor's opinion:
- Inconsistent application of controls between employees (even new hires)
- Inconsistent application between projects or deliverables
- Insufficient security measures in the original controls design
- Employees who ignore protocol
The reason behind these issues are often linked to:
- Bad onboarding
- Lack of communication between teams
- No clearly defined standards throughout the company
- Lack of key stakeholder involvement
- No internal control monitoring
- Changing software tools or processes
- Inconsistencies throughout the tech stack
SOC reporting and the audit process focus on consistency throughout your organization.
SOC 2 requirements include risk management, communication protocols, designing, and monitoring controls, plus more.
Of course, over a 12-month testing period, there can be some exceptions without meaning you automatically fail. Exception for control doesn’t mean you didn’t get a report, but we mark it as an exception.
For example, let’s say 2 of 25 software changes weren’t peer-reviewed before going live. We’d highlight these issues as exceptions and give management the opportunity to remediate the issues.
A long list of exceptions can lead to a failure of your security controls. Every step of the process is crucial for securely handling internal and customer data.
I only issue an adverse opinion when the control environment doesn’t exist, and there are failures throughout the entire process. For example, if everyone in the company can access sensitive customer data and there are no safeguards like two-factor authentication.
How do you avoid falling into these common mistakes?
To make sure all employees follow protocol, you need to make it part of your company culture. Make sure all employees know their responsibilities within the organization and processes — even new ones.
Hold training sessions across departments and create a single standard for every relevant employee to follow.
As the organization grows, you must bake the controls and processes into your onboarding and training.
Beyond this, you should reach out to the auditor and ask questions. Auditors are trying to be transparent. Let them know if you’re thinking about something like migrating from GCP (Google Cloud Platform) to AWS (Amazon Web Services) and how that would impact their SOC report.
Getting your SOC 2 certification is all about minimizing mistakes and exceptions, so take this process seriously. You must prove that you follow every trust services principle to the letter.
This includes:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
Don’t let human error get in the way of your operating effectiveness.
What is your advice for companies planning to hold a “readiness assessment” before the SOC 2 audit?
It depends on the organization. If you’re a small startup, you may not have an information security team or someone with that background on staff. But if you work with enterprises, potential customers will often ask for a SOC 2 report.
In that case, it’s a good idea to get a readiness assessment to understand controls and how close you are to meeting them. You should use it as a way to prepare. Hire a third-party consultant, preferably an accredited auditor, rather than learn the process from scratch.
The readiness assessment is a way for you to see the gaps you have, so be transparent with the auditor. They’re there to advise you and your team.
If you’re more seasoned and you have a team dedicated to infosec, everyone has defined processes, and you're confident you know what SOC 2 is, you can use it as an internal test to check whether you’ll pass.
Do you have any last tips for companies worried about not passing their SOC 2 audit?
If you’re worried about passing, start with the Type 1 report so you can get the control environment right.
Before you get started, assess all your controls and processes internally, do a readiness assessment, and reach out to auditors to get an initial consultation. An auditor isn’t just a judge or jury.
An auditor is an advisor who can help make sure you’re set up for success, especially when you’re doing Type 1 or readiness assessment.
Reliable, secure processes are key to healthy customer relationships
The reason potential business customers care about SOC 2 compliance is that data breaches are a business killer.
They can’t afford to lose customers by accidentally leaking sensitive information. SOC 2 compliance is a way to prove that your company knows how to handle data.
When you’re first starting to prepare, it might seem like an overwhelming task. But with the right tools, you can prepare for a successful SOC 2 report in weeks, not months.
Secureframe makes it easy to implement your security requirements, scan your entire system, and highlight weak points in your tech stack.
If you want to get a head start, sign up for a free demo today.