Top 10 Red Flags in SOC 1 Type II Reports Every Auditor Should Know

Not all SOC reports are created equal. While a clean opinion might seem reassuring, experienced auditors know to look beyond the surface. These 10 red flags can indicate significant control risks that require immediate attention and additional audit procedures.

Red Flag #1: Qualified or Adverse Opinion

Severity: Critical

What to Look For:

The service auditor's opinion is modified to qualified ("except for") or adverse ("controls were not suitably designed or operating effectively").

Why It Matters:

A modified opinion means the auditor could not conclude that controls operated effectively. This fundamentally undermines the purpose of obtaining a SOC report.

What to Do:

• Immediately escalate to engagement partner
• Read the qualification or adverse language carefully to understand scope
• Assume you CANNOT rely on affected controls without additional substantive testing
• Consider whether the relationship with this service organization should continue
• Quantify potential exposure if qualified controls failed

Red Flag #2: High Exception Rate (>10%)

Severity: Significant to Critical

What to Look For:

More than 10% exception rate in sample testing for any control (e.g., "5 out of 40 items tested resulted in exceptions").

Why It Matters:

Industry benchmarks show average exception rates of 3-8%. Rates above 10% suggest systematic control failures, not isolated incidents.

What to Do:

• Calculate the exception rate yourself (exceptions ÷ sample size)
• Assess whether exceptions indicate design or operating effectiveness issues
• Evaluate compensating controls - are they truly effective?
• Consider expanding substantive testing in affected areas
• Document rationale if you still choose to rely on these controls

Red Flag #3: Missing or Incomplete CUECs

Severity: Significant

What to Look For:

Complementary User Entity Controls (CUECs) are vaguely described, missing entirely, or don't logically address control gaps.

Why It Matters:

CUECs are YOUR client's responsibility. If they're poorly defined or missing, you won't know which controls your client needs to implement.

Red Flag Indicators:

• CUECs listed as "User should implement appropriate controls" (too vague)
• No CUECs listed despite obvious control gaps
• CUECs don't specify frequency, responsible party, or evidence
• Disconnect between service org controls and required user entity controls

What to Do:

• Contact the service organization for clarification on specific CUECs
• Work with your client to define and implement necessary controls
• Test CUEC implementation before relying on service org controls
• If client hasn't implemented CUECs, you cannot rely on related controls

Red Flag #4: Significant Subservice Organization Carve-Outs

Severity: Significant

What to Look For:

The SOC report uses the "carve-out method" for subservice organizations that perform critical functions (cloud infrastructure, payment processing, data storage).

Why It Matters:

Carve-out method means the subservice organization's controls were NOT tested. You're getting incomplete coverage of the service delivery chain.

What to Do:

• Identify all carved-out subservice organizations
• Obtain SOC reports for material subservice organizations
• If subservice SOC reports unavailable, treat as control gap
• Assess whether your client can provide alternative evidence
• Consider direct confirmation or other substantive procedures

Red Flag #5: Management Override Exceptions

Severity: Critical

What to Look For:

Exceptions indicating management bypassed established controls, particularly around authorization, access, or approval workflows.

Examples:

• "Management processed 3 transactions without secondary approval"
• "CEO accessed production system despite role-based restrictions"
• "Emergency access used for non-emergency situations in 8 instances"

Why It Matters:

Management override is a fraud risk indicator. If management routinely bypasses controls, the control environment may be ineffective regardless of written policies.

What to Do:

• Evaluate the tone at the top and control culture
• Assess fraud risk and consider it in your audit approach
• Perform detailed testing of journal entries and unusual transactions
• Consider whether relationship with service org should continue
• Increase professional skepticism in all areas

Red Flag #6: Inadequate Sample Sizes

Severity: Moderate

What to Look For:

Sample sizes that are too small to provide meaningful assurance, particularly for high-frequency controls.

Red Flag Indicators:

• Daily automated control tested with only 10-15 samples (should be 25-40)
• Weekly control tested with only 5 samples across 52-week period
• Inconsistent sampling across similar controls without justification
• No explanation for reduced sample sizes

What to Do:

• Compare sample sizes to industry standards (see our benchmark report)
• Consider performing your own supplemental testing if samples inadequate
• Reduce reliance on controls with insufficient testing
• Document concerns in workpapers

Red Flag #7: Stale Report Period

Severity: Moderate to Significant

What to Look For:

SOC report period ended more than 6 months before your client's year-end, or there's a gap between report periods.

Example:

Your client's fiscal year ends December 31, 2025, but the SOC report covers January 1 - June 30, 2025. Controls for the second half of your audit period are untested.

Why It Matters:

Controls can change significantly in 6+ months. System upgrades, personnel turnover, or process changes may have occurred after the report period.

What to Do:

• Request updated SOC report or bridge letter covering the gap
• Perform inquiries about control changes since report date
• Consider testing controls during the gap period yourself
• Reduce reliance and increase substantive testing if gap is significant

Red Flag #8: Access Control Exceptions

Severity: Significant to Critical

What to Look For:

Exceptions in logical access controls, user provisioning, privileged access management, or segregation of duties.

Common Examples:

• Terminated users not removed timely (industry benchmark: 7.8% exception rate)
• Excessive privileged access granted without justification
• User access reviews not completed or inadequately documented
• Segregation of duties violations not detected or addressed

Why It Matters:

Access controls are foundational. If users have inappropriate access, all downstream controls may be ineffective.

What to Do:

• Assess whether inappropriate access could affect your client's data
• Request current user access reports from service organization
• Verify your client's data wasn't accessed by terminated users
• Consider whether segregation of duties violations create fraud risk
• Test transactions processed by users with excessive access

Red Flag #9: Change Management Failures

Severity: Significant

What to Look For:

Exceptions indicating system changes were not properly authorized, tested, or documented (industry benchmark: 5.2% exception rate).

Examples:

• Production changes deployed without management approval
• Missing evidence of change testing in non-production environment
• Emergency changes not retroactively documented or approved
• Code migrations without proper version control

Why It Matters:

Poorly managed changes can introduce processing errors, security vulnerabilities, or data integrity issues affecting your client's financial information.

What to Do:

• Identify specific changes that occurred during exceptions
• Assess whether changes could have impacted your client's processing
• Perform transaction testing around timing of risky changes
• Request change logs and analyze for patterns

Red Flag #10: Vague or Generic Control Descriptions

Severity: Moderate

What to Look For:

Control descriptions that are so generic you can't determine what actually happens or who performs the control.

Red Flag Language:

• "Management reviews reports and investigates exceptions" (which reports? how often? what constitutes an exception?)
• "Access is restricted to authorized users" (how is authorization determined? how often reviewed?)
• "Controls are in place to ensure..." (what specific controls?)
• "Appropriate segregation of duties exists" (between which functions? how enforced?)

Why It Matters:

Vague descriptions prevent you from understanding what was actually tested. You can't evaluate control effectiveness or map to assertions.

What to Do:

• Request clarification from service organization or service auditor
• Ask for specific control procedures, frequency, and responsible parties
• If descriptions remain vague, consider controls untestable
• Reduce reliance and increase substantive testing

Putting It All Together: Red Flag Assessment Matrix

Use this framework to evaluate your overall comfort level:

Key Takeaways

• Never rely solely on the service auditor's opinion - read the detailed test results
• One critical red flag is enough to eliminate reliance
• Multiple minor red flags collectively indicate systematic issues
• Document your red flag assessment in workpapers
• Communicate significant concerns to engagement partner immediately
• When in doubt, reduce reliance and increase substantive testing