Why a SOC Report is Not a SOC Certificate

Meagan Mujushi About The Author

Oct 26, 2017 2:30:00 PM

Why a SOC is not a certificate


We see them often, "SOC certification" and "SOC certificate", and wanted to be clear that SOC (Service Organization Control) reports are not a certificate. SOC reports are not earned by studying or for completion of a project, they are an audit. The result is a single page opinion accompanied by a 50 to 60-page report. A SOC report does not offer pass or fail options. What it does offer is an opinion on the many aspects of internal controls and as such, should be read in detail for noncompliance items.


Specialized auditors spend time in a company completing a checklist and looking intimately through systems and controls. This is not an identified success or fail but a very detailed opinion from an expert auditor on how well the organization manages controls or where they have weaknesses. The organization can then act on the weaknesses uncovered.

An opinion will generally indicate one of three situations:

  1. Unqualified opinion: Everything is as it should be according to SOC and auditor guidelines. Complete perfection is rare due to the irregularities of human nature!
  2. Unqualified opinion with minor exceptions: This is the most common result. Almost every report will have this and it is rare to see a report with no exceptions. Examples of weaknesses may include employees leaving or joining the company, password strength, or manual process risks.
  3. Qualified opinion: Of the different areas covered in the report, one or more areas qualify as departing from GAAP, and the effect is material. For example, accounting revenue for a large debt from a bankrupt company with no security. This kind of opinion is serious, and should be addressed before you go further with this service provider.

Read further about SOC reports including, definitions, explanations, and examples:

RevStream takes their SOC reports seriously because their software helps you manage your financial data in a secure environment. If you would to see how RevStream works and how automation truly increases the security of your data - sign up for a product demo:

See a Demo