If your organization is making the investment in information security audits, it’s understandable to question whether or not you will pass or fail the audit. After all, many organizations pursue compliance because they have something at stake, like a new client or big product launch, and if they do not pass the audit, there could be severe consequences. However, there’s good news when it comes to SOC 1 audits: the framework is build on the SSAE 18, a standard that is not based on a pass or fail model. Instead, your SOC 1 compliance is determined based on reasonable assurance. What exactly does that mean? Let’s take a look.
What is Reasonable Assurance?
During the audit process, your auditor will perform various tests, interviews, and observations to determine whether or not there is reasonable assurance that your organization has internal controls in place and operating effectively. Because there is no way to give absolute assurance that these internal controls are operating as intended, auditors must be able to give reasonable assurance that controls are in place and operating effectively.
What’s the Difference Between a Qualified and Unqualified Opinion?
When an auditor determines if there’s reasonable assurance, they’ll issue either a qualified or unqualified opinion. An unqualified opinion means there are no qualifications or significant exceptions being issued and reasonable assurance has been determined. On the other hand, if an auditor issues a qualified opinion, this means that there are exceptions. So, for example, “Except for control X, internal controls are in place, suitably designed, and operating effectively.” In cases where a qualified opinion is issued, we will list the specific aspects of your system that were not operating effectively in your SOC 1 audit report.
Want to learn more about how KirkpatrickPrice can assist you on your SOC 1 compliance journey? Contact us today.
More SOC 1 Resources
It’s very common for us to get asked, “Am I going to pass this audit? What if I fail? Is it going to be bad for our organization if the audit doesn’t go well and we get a failing grade?” Well, a SOC 1 audit is based on the SSAE 18 standard, and the standard does not work on a pass or fail system. The benchmark is something called reasonable assurance. We can’t have absolute assurance that something is operating a particular way, so the highest level is called reasonable assurance. The auditor has to come to a conclusion using testing and analytic procedures to form a reasonable basis for their opinion, which answers: Is this control designed properly? Is it in place? Is it operating effectively over a period of time? We’re looking for reasonable assurance. If we issue an unqualified opinion, that is an opinion where there are no qualifications to our opinion. It means that an organization’s controls are in place, operating effectively over a period of time, and our opinion has not been qualified. A qualified opinion has the line “except for”. So, for example, “Except for X, the controls are in place, suitably designed, and operating effectively.” We would qualify the opinion by calling out individual aspects of the system that maybe were not operating effectively during the opinion. Ask yourself the question, “Can my auditor form an opinion that’s based on reasonable assurance that our controls are operating effectively?” Talk to one of our Information Security Specialists and let us talk to you about what your environment looks like and the types of practices that you’ve had in place, and let us give you our opinion on what reasonable assurance would look like for your organization