Article written by:
Brooke Hauser, CPA
Senior, Information Technology Services
Having testing exceptions in a SOC report, whether it is a SOC 1 or SOC 2, is more common than you would think. Therefore, if you see an exception in a report, or receive an exception while your auditors are performing testing, do not panic, just yet. I think to start, it is important to break down what exceptions are.
What is an exception?
An exception is noted in section 4 (“Results of Auditor’s Tests”) of the service auditor’s report when a descriptive misstatement, deficiency, deviation, or other instance of noncompliance is discovered by the service auditor.
There are three types of exceptions that may occur in a SOC Report:
- Exception with the design of a control – Typically, you will not see an issue with the design of the control. This is because companies should go through a readiness assessment with auditors to ensure the controls they have in place are properly designed to meet criteria/control objectives. These exceptions are more concerning to the readers of the report because it shows the control environment is not sound. An example of this deviation is if there is no process in place for removing a user’s access following termination or if the process is to remove access within 30 days which would not be timely.
- Exception with the system description – This occurs when the auditor discovers differences between management’s system description and the appropriate description criteria. Again, similar to the exception in the control design, this is not very common due to working with the auditor during the readiness assessment.
- Exception with the testing of control effectiveness –The testing of control effectiveness occurs during a Type 2 SOC examination and is when the auditor will verify that the control was in place and operating during the entire testing period (i.e. the auditor will select a sample of employees terminated during the testing period and verify that access was removed timely in accordance with the Company’s policy.) Therefore, if an employee’s access was not removed in a timely fashion, that would result in an exception in the operating effectiveness.
How do testing exceptions impact my SOC report?
The following list illustrates how exceptions may be treated in the service auditor’s report in order of the worst- to the best-case scenario:
- A change in audit opinion – Each SOC report, similar to a financial audit, has an opinion. If the auditor determines that there is a significant issue with the controls not being suitably designed or operating effectively, they will modify the opinion to express a qualified or adverse opinion. Qualified opinions are expressed when the deficiencies in design or effectiveness are limited to one or more criteria or control objectives. Adverse opinions are expressed when the deviations in design or effectiveness are material and pervasive throughout the report. Going back to the example of the removal of user access, a change in audit opinion will usually not occur if one or two of the 25 sampled were not removed timely. However, it will occur if the exceptions in design and operating effectiveness for one or more criteria or control objectives are enough to the point of the auditor determining these are not being satisfied.
- No change in opinion – If the auditor determines the deficiencies identified do not impact the control design and operating effectiveness, an unqualified opinion will still be issued. Individual testing exceptions, regardless of materiality, must be disclosed in Section 4, with the description of tests performed by the auditor and the results of the tests.
How to respond to an exception?
Management can respond to identified deviations in Section 5, “Other Information Provided by the Service Organization,” of the SOC report. This section is optional in each report and is where you respond to deviations or add other information you want to provide to the readers of your report. Meaning, there is no requirement to respond to testing results. In section 5 you are able to tell your side of the story, so to speak, and let the readers know of other compensating controls that did operate successfully or new processes you have implemented since testing to mitigate the situation from arising in the future.
It is important to know that auditors do not test or provide assurance over the information provided in Section 5. The auditor is only required to make sure there are no material inconsistencies or misstatements.
In my opinion, exceptions can be a good thing. Exceptions are a way to re-evaluate and improve your company’s existing processes and determine if there are more efficient and effective ways to complete the task. A few minor exceptions also demonstrate to your user community that objective and professional audits were obtained, because everyone knows, no one is perfect all of the time.
Our IT audit professionals have extensive experience working in IT regulatory control environments and we will work with you to identify the best control procedures and technology objectives for your business. Contact us with questions.