Understanding SOC exam exceptions and management letter comments
When completing a System and Organization Controls (SOC) examination, the results can generally fall into one of two categories: exceptions or management letter comments.
The main difference between the two is that the first is included in the report and the second is intended for management eyes only.
What are exceptions?
An exception is discovered by a service auditor during a SOC when the auditor finds a control that is not designed correctly or operating effectively.
Exceptions can arise as a result of an inquiry with management, during onsite observations or inspection-based testing. They are generally discovered during the inspection of source documentation.
When an exception is noted, the service auditor will meet with management of the service organization to the discuss the item. Additional documentation is often provided to help verify that the control was properly achieved depending on the circumstances of the exception.
If the exception, or exceptions, are legitimate, they will be included in the report. If the nature and quantity of exceptions is severe enough, they may also impact the opinion of the report.
If the service auditor determines it to be necessary, the exception will be listed within the Service Auditors Opinion and the opinion will be appropriately modified. If an opinion is modified due to exceptions, it will clearly state that everything other than the noted items appear to be operating effectively.
Having exceptions in certain controls will not impact the opinion on any other controls. Modifications to an opinion will only occur when the exceptions are high risk or if the number of them is greater than what the service auditor deems to be acceptable.
What are management letter comments?
During a SOC exam, a service auditor may notice opportunities for improvement that are outside of the scope if the exam and that aren’t related to an existing control.
These value-added recommendations — and details for improvement — are communicated through a management letter.
Since these items are outside of the examination scope, the management letter is only for use of management and is not intended to be shared with customers of the service organization or the readers of the SOC examination report.
A SOC exam can result in an identified exception in the design or operating effectiveness of a control, or in a management letter comment.
How Wipfli can help
Exceptions and management letter comments are not the end of the world.
They should be looked at as opportunities for improvement.
It is important to work with your service auditors, like those at Wipfli, to make sure to find the best way to address any exceptions or management letter comments to improve controls and avoid exceptions in future reports.
To learn more about SOC exams, see our web page.
Or read our stories on SOC exams:
My data center has a SOC exam. Do I need one?
SOC1 vs. SOC2. What’s the difference?