Learn · SOC Reports
SOC 2 Opinions & Exceptions,
Explained
Every SOC 2 report ends in one of four auditor opinions — unmodified, qualified, adverse, or disclaimer — and many reports also list test exceptions along the way. Confusing the two is the most common SOC 2 reading error. Here is what each opinion means, what exceptions actually record, and how one becomes the other.
The distinction that matters: exceptions are individual test deviations recorded in Section 4; the opinion is the auditor’s overall conclusion after weighing them. A report can carry a clean opinion and still list exceptions.
Plain-English explainer · Applies to SOC 1 & SOC 2 · Last reviewed July 2026
A SOC 2 report carries one of four auditor opinions — unmodified (clean), qualified (“except for”), adverse, or disclaimer — and the opinion is not the same thing as the test exceptions listed in Section 4. Exceptions are individual test deviations; the opinion is the auditor’s overall conclusion after weighing them. The confusion is understandable, because the two live in different places. The opinion sits in the Independent Service Auditor’s Report at the front of the document, written and signed by the independent licensed CPA firm that performed the examination. The exceptions sit dozens of pages later, in the Section 4 test tables, one result at a time. And they do not map one-to-one: a report listing several exceptions can carry a clean opinion, while a report with a single unmet criterion can be qualified. Readers who stop at the opinion page misjudge in one direction; readers who count exceptions and panic misjudge in the other. This guide walks through the four opinions, what an exception actually records, how auditors weigh one into the other, and what to do on each side of the table — whether you are reviewing a vendor’s SOC 2 or bracing for your own.
Opinion 1 of 4
Unmodified — the Clean Opinion
An unmodified opinion — often called unqualified, or simply clean — states that the system description is fairly presented and the controls were suitably designed, and, for a Type 2, that they operated effectively across the review period — all “in all material respects.” That last phrase is doing real work: it is a materiality threshold, not a claim of perfection. Most SOC 2 reports issued in any given year are unmodified.
What a clean opinion does not say is that every test passed. An unmodified report can — and often does — list exceptions in its Section 4 results; the auditor simply concluded that none of them, alone or together, kept a trust services criterion from being met. The reader’s move: take the clean opinion as the headline, then read Section 4 anyway. The exceptions tell you where the control environment is thinnest, which is exactly what a risk reviewer is paid to find.
Opinion 2 of 4
Qualified — “Except For”
A qualified opinion is recognizable by two words: “except for.” The auditor concludes that the report stands — except for one or more specific matters, which the opinion identifies. Three situations produce it: one or more trust services criteria were not achieved; the system description contains a material misstatement; or material exceptions occurred but are confined to specific areas rather than pervading the report. Everything outside the named matters keeps its assurance.
A qualified report is not a failed report, and treating it as one wastes the signal it carries. The reading discipline is to locate the language explaining the basis for the qualification and answer two questions: which criteria or controls are qualified, and does the qualified area touch the service you actually consume? A qualification confined to change management on a legacy product you never use is a very different risk decision from one touching logical access across the whole platform. Scope the qualification before you react to it.
Opinion 3 of 4
Adverse — Pervasive Failure
An adverse opinion is the strongest negative conclusion an auditor can reach: the system description is not fairly presented, or the controls were not suitably designed or did not operate effectively — not in isolated pockets, but overall. Where a qualification fences off a problem area and preserves the rest of the report, an adverse opinion says the problems are too widespread to fence.
Adverse opinions are rare in practice. If a vendor hands you one, the guidance is blunt: it provides no assurance you can rely on. Escalate it inside your organization rather than filing it, treat the service as unattested, and ask the vendor directly what happened and what the remediation plan is.
Opinion 4 of 4
Disclaimer — No Opinion at All
A disclaimer of opinion means the auditor could not obtain sufficient appropriate evidence to conclude anything — so no opinion is expressed. It is less a verdict on the controls than the absence of one: the examination could not be completed to the standard an opinion requires.
For a reader, the practical effect matches an adverse opinion: no assurance. A disclaimed report tells you nothing about whether controls operated, and it should carry no weight in a vendor review. Treat the organization as unattested until a completed examination with a real opinion exists.
Section 4
What an Exception Actually Is
Section 4 of a SOC 2 report — the tests of controls and results — is where exceptions live. For every control, the report lists the tests the service auditor performed and, test by test, the result: either “No exceptions noted” or “Exceptions noted,” followed by a description of what was found. An exception — also called a deviation or test exception — is a single test that did not come back clean. The usual causes:
- The control did not operate consistently through the period — it ran most of the time but skipped instances, like a quarterly access review performed three quarters out of four.
- Sample item failures — a subset of the items the auditor sampled did not meet the control, such as two of twenty-five sampled terminations deprovisioned late.
- Missing evidence — the control may well have operated, but the organization could not produce records proving it for some items.
- The control was not yet implemented for part of the period — common when a control went live partway through a Type 2 window.
- Population errors — the population provided for sampling was incomplete or inaccurate, undermining the test itself.
Each exception is recorded against one specific test of one specific control. The word itself carries no verdict — the verdict comes later, when the auditor weighs the pile.
Auditor Judgment
Exceptions Don’t Automatically Qualify a Report
The single most misread fact about SOC 2: exceptions and qualified opinions are connected by judgment, not arithmetic. When exceptions surface, the auditor evaluates their significance — the nature of the control involved, how frequently it failed, whether compensating controls cover the same risk, and above all whether the related trust services criterion was still met despite the deviations. If the criteria hold, the opinion stays unmodified. That is why many clean reports contain a handful of exceptions, and why counting exceptions is a poor proxy for vendor risk.
The other half of the picture is management’s response. Exceptions are commonly addressed in Section 5, “Other Information Provided by Management” — an unaudited section where the organization can state each exception’s root cause, remediation status, and any compensating controls. The auditor performs no procedures on Section 5, but experienced readers weigh it heavily: a mature organization responds to every exception, plainly and specifically. Silence — exceptions sitting in Section 4 with no acknowledgment anywhere — is the genuinely bad sign, because it suggests the organization either did not notice or hoped you would not.
Vendor-Risk Playbook
Reading Exceptions as a Customer
When a vendor’s report arrives with exceptions or a modified opinion, work through it in order:
- Triage by relevance. An exception in logical access or change management touches almost every customer; an exception in a marketing office’s visitor log probably touches none. Weigh each against the service you actually consume.
- Check the prior year. Pull last year’s report and compare: a repeat exception on the same control signals weak remediation discipline — often a bigger finding than the exception itself.
- Read management’s Section 5 response for every exception — root cause, remediation status, compensating controls. No response is your cue to ask why.
- For a qualified opinion, ask the vendor for remediation evidence covering the qualified areas, and consider contractual protections until the next report demonstrates the fix.
- For an adverse opinion or a disclaimer, escalate. Both mean no assurance — treat the vendor as unattested and make the risk decision on that basis.
Two adjacent checks complete the review: confirm your side is operating the CUECs the report assumes of you, and note how subservice organizations are treated — under the carve-out method, their controls were not tested in this report at all.
Service-Org Playbook
When Exceptions Surface in Your Own Fieldwork
On the other side of the table, exceptions feel worse than they usually are. The playbook:
- Don’t panic, and don’t argue reflexively. Give the auditor full context: what happened, why, and any compensating controls that covered the same risk. Significance is a judgment, and context legitimately informs it.
- Remediate before period end where you can. A Type 2 reports what happened during the period, so the exception itself will not disappear — but remediation shows up in your Section 5 response now and as clean tests in next year’s report.
- Respond to every exception in Section 5: root cause, fix, current status. A specific, unhurried response reads as operational maturity; silence reads as the opposite.
- If the opinion comes back qualified, treat it as survivable — because it is. Handled transparently, with remediation evidence offered before customers ask, a qualified report damages trust far less than one that was quietly downplayed.
- Plan the next examination period immediately. The fastest cure for a qualified year is a clean following period — every month of delay extends the window your customers are pricing in.
This preparation problem is where Tranquility Cybersecurity sits. We get organizations examination-ready — control design, evidence discipline, exception triage before fieldwork — and coordinate the examination through empanelled, independent licensed CPA firms. TCSA does not issue opinions; no consultant should. With 500+ audits delivered for 250+ clients in exactly this role, the working rule is simple: find the would-be exceptions while they are still fixable. See our SOC 2 services and audit preparation pages for how an engagement runs.
One scope note: everything above applies equally to SOC 1. The four-opinion architecture, Section 4 exceptions, and Section 5 management responses work the same way in a SOC 1 examination — and a qualified report cannot be patched over with a bridge letter, which only extends a report across a gap period and adds no assurance of its own.
Opinions & Exceptions — Common Questions
Qualified vs clean, exceptions vs opinions, and what to do on either side of the report.
What does a qualified SOC 2 report mean?
It means the auditor concluded the report stands “except for” specific named matters — one or more trust services criteria not achieved, a material misstatement in the system description, or material exceptions confined to particular areas. The rest of the report keeps its assurance. Read the language explaining the basis for the qualification to see exactly which criteria or controls are affected, then assess whether those areas touch the service you use.
Do exceptions always mean a qualified opinion?
No. The auditor weighs each exception’s significance — the nature of the control, how often it failed, whether compensating controls cover the same risk, and whether the related criterion was still met. If the criteria hold despite the deviations, the opinion remains unmodified. Many clean SOC 2 reports contain a handful of exceptions; a qualification follows only when the problems are material to a criterion or to the description.
What is the difference between an exception and a qualified opinion?
An exception is a single test result: one control test in Section 4 that did not come back clean. A qualified opinion is the auditor’s overall conclusion, reached after weighing all the exceptions together against the trust services criteria. Exceptions are the raw findings; the opinion is the verdict. A report can list several exceptions and still be unmodified — the two should never be read as interchangeable.
Is a SOC 2 report with exceptions still usable?
Usually, yes — most reports containing exceptions still carry unmodified opinions. Judge each exception by its relevance to your use of the service, check whether it repeats from the prior year’s report, and read management’s Section 5 response. A relevant exception with a clear remediation response is a manageable risk conversation; a repeated exception with no response at all is the pattern that should worry you.
What is an adverse opinion?
An adverse opinion says the problems are pervasive: the system description is not fairly presented, or the controls were not suitably designed or did not operate effectively overall — not confined to specific areas the way a qualification is. Adverse opinions are rare. Treat one as providing no assurance at all: escalate it, and treat the organization as effectively unattested until a later clean examination exists.
What should we do if our SOC 2 comes back qualified?
Respond to every exception in Section 5 with root cause and remediation status, fix the qualified areas quickly, and communicate proactively — offer customers remediation evidence before they ask. Then start the next examination period immediately, since a clean following report is the real cure. A qualified report handled transparently is survivable; one that customers discover was downplayed does far more damage.
Where do management responses to exceptions appear?
In Section 5 of the report, usually titled “Other Information Provided by Management.” It is unaudited — the service auditor performs no procedures on it — but it is where organizations state each exception’s root cause, remediation status, and compensating controls. Read it alongside Section 4: a response for every noted exception signals operational maturity, while silence on a noted exception is a red flag.
Related reading: the Learn hub, how to read a SOC 2 report, what SOC 2 is, who can perform a SOC 2 audit, SOC 2 Type 1 vs Type 2, and subservice organizations. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours