By Fazal Nabi
As part of your SOC report, your service auditor will note exceptions. These exceptions occur if a misstatement, deviation, deficiency or form of potential noncompliance was found throughout the auditing process.
The three different types of SOC report exceptions
Exceptions can fall into three distinct categories: control design inefficiencies, system description misstatements and operational ineffectiveness. Because each of the three can affect the service auditor’s final opinion differently, they should be approached on a case-by-case basis.
System design: While issues relating to the design of an organization’s controls are an important exception, they tend to be uncommon because most organizations carry out readiness assessments while collaborating with their auditors. The readiness assessment helps ensure that all existing controls are appropriately designed.
System description: System description misstatements usually refer to instances where the organization’s system or services descriptions are misaligned with appropriate description standards.
Operational effectiveness: The most common exception tends to be deficiencies in the operational effectiveness of a control. It usually results from a lack of authority, competence or willingness on the part of management.
For example, this exception can happen when an organization possessed the necessary control to limit a potential form of noncompliance from taking place, but it failed to correctly implement and utilize said control due to a failure in necessary training, implementation, maintenance or willingness. Any potential shortcoming on the part of the audited firm's management to ensure that properly designed controls are not only in place but also being effectively utilized may constitute an exception in this manner.
How exceptions have different implications
Exceptions are not just important because they outline the audited organization's potential noncompliance. They’re also significant because of their ultimate impact on the auditor’s final opinion.
For example, simpler exceptions relating to the design of a particular control usually do not change the ultimate opinion an auditor expresses in their report, but more substantial changes — such as those relating to operational ineffectiveness and misstatements — may result in what is referred to as an “adverse” opinion.
In some instances where the deficiencies and devaluations found are somewhat limited, the auditor may express a “qualified” opinion rather than an adverse one, which, in comparison, greatly benefits the audited organization.
Because of the need to approach instances of operational ineffectiveness on a case-by-case basis, the frequency with which exceptions normally occur is usually also considered during the auditing process.
For example, if a potential discrepancy was found in a firm's control mechanisms, then it is normally the auditor's responsibility to account for how much of the organization's activities are affected by said discrepancy. If it was found to affect a large portion of the organization's operations, the auditor is more likely to ultimately decide on an adverse opinion, while simpler or limited occurrences of operational ineffectiveness may not impact the decision as significantly.
Nevertheless, because exceptions tend to be distinct and unique, discrepancies and deficiencies should always be examined on a case-by-case basis to ensure that all parties involved fully understand the potential causes and implications of each instance. Therefore, each exception should be carefully reviewed and assessed by the auditor to clearly identify whether the potential deficiency relates to noncompliance, incompetence, design failure or operational effectiveness.
Turn SOC report exceptions into opportunities
Exceptions should be viewed as opportunities for improvement. Working with a SOC auditor like Wipfli can help you address any exceptions so you can improve controls and avoid exceptions in future reports. Click here to learn more about Wipfli and our SOC audit service.
Sign up to receive additional risk management information in your inbox, or continue reading on: