It’s become more commonplace to see companies touting their “clean” audit report. It might be a company that has finished their first audit and they’re celebrating their success. Whether it’s a SOC 1 audit report that focuses on Internal Control over Financial Reporting, or a SOC 2 audit report that focuses on the Security, Availability, Processing Integrity, Confidentiality and Privacy Trust Services Criteria, it feels good to get that report in your hand to represent the end of the audit process.
But what is a “clean” report? Is that actually something you should be striving to accomplish? A SOC 1 or SOC 2 audit is not a pass/fail result. It is an opinion issued by an independent auditor based on the concept of reasonable assurance. The auditor can issue an unqualified opinion as to your achievement of the control objectives or criteria. They can issue a qualification to that opinion, such as, the company achieved the SOC 2 criteria “except for” vulnerability management. Alternatively, they can issue an adverse opinion or disclaim an opinion altogether.
In the Type II version of both reports, there is a section that details the testing performed on each control. The results of the test might contain and “exception.” For example, we pulled a sample of 10 new hire files and found that one did not sign the Confidentiality Agreement. Or, out of a sample of 30 Windows servers, we determined that 3 did not contain the latest patches released over 6 months ago. These exceptions may not impact the final opinion in the report but they are important details for you and your client to consider when relying on that particular control to reduce risk.
The desire for a “clean” report comes from an expectation that you shouldn’t show any weakness in your audit report. We want the best opinion and we want to show that we have NO exceptions. But is that realistic? What company has no exceptions during a year of activities? People miss things. Technology fails. Processes are flawed. Be authentic in your reporting. Show your clients that you are being thoroughly tested and demonstrate that your mindset is to improve year after year.
The professionals reviewing your report are experienced in compliance and review many reports. They can tell the difference between results that sound too good to be true and an audit that took testing seriously and is reporting honestly. At a recent conference session, we led a group of almost 100 compliance officers through a vendor management exercise and asked the question, do you accept an audit report with no exceptions? Not a single hand was raised. They commented that it makes them suspicious when it doesn’t appear that the report reflects reality.
Don’t fall for the “clean” report trap. Embrace the audit experience as a way to expose findings and demonstrate to your clients that you took those findings to heart by adjusting your controls to meet the ever-increasing threat landscape. They’ll be satisfied and your company will benefit from that mindset too!