The Exceptions That Derail SOC 2 Audits
Based on our experience supporting over 100 SOC 2 audits, certain exceptions appear repeatedly across companies of all sizes and industries. These are not obscure technical requirements – they are fundamental control areas that every organization pursuing SOC 2 must address.
What makes these exceptions particularly problematic is that they are both common and severe. When auditors find multiple exceptions in these areas, materiality thresholds are quickly crossed and qualified opinions become likely.
This article covers the 8 most common control exceptions we see, why they occur, and specific prevention steps based on real audit experience. These 8 exceptions account for approximately 70% of all material findings that lead to qualified opinions.
If you are preparing for your first SOC 2 audit, focus your prevention efforts here. If you have already received an audit report with exceptions, this article will help you understand what auditors are looking for and how to remediate effectively.
About the Author
Parth Shah, CPA is the founder of Countsure with 10+ years of hands-on SOC audit experience. He has personally reviewed 100+ audit reports and exception findings across SaaS, fintech, healthcare, and e-commerce companies.
A Certified Public Accountant (US), Fellow Chartered Accountant, Registered Valuer, and holder of a Diploma in Information System Audit, Parth brings Big 4 training from Ernst and Young to his role at CountSure. He specializes in exception prevention, helping companies implement the exact controls and evidence collection processes that auditors expect.
Exception 1. Inadequate Access Control Documentation
The Problem
Access controls are the foundation of SOC 2 Security requirements. Companies fail when they cannot prove user access is properly managed – who has access, how it is granted, reviewed, and revoked.
How to Prevent ?
- Create formal access request process with ticketing system
- Require manager approval for all access (keep evidence!)
- Conduct quarterly access reviews and document with timestamps
- Use offboarding checklist that includes access revocation
- Maintain access change logs with dates and approvers
Time Line : 2-4 Weeks
Exception 2. Missing or Incomplete Background Checks
The Problem
SOC 2 requires background checks on employees with access to sensitive data. Many startups skip this or only check some employees, not contractors or offshore team members.
How to Prevent ?
- Conduct checks for ALL employees and contractors with system access
- Use reputable service (Checkr, Sterling) and keep records
- For international teams, use alternative verification when local laws prohibit checks
- Complete BEFORE granting production access
Timeline: 1-2 weeks
Exception 3. Insufficient Change Management Evidence
The Problem
Code changes must be reviewed, tested, and approved before production deployment. Many companies do this informally without documentation.
How to Prevent
- Use formal ticketing for all changes (Jira, Linear)
- Require peer code review before merging
- Document testing procedures and results
- Get explicit approval for production deployments
- Maintain change logs with dates and approvers
Timeline: 3-4 weeks
Exception 4. Weak or Unenforced Password Policies
The Problem
Having a password policy is not enough. You need proof that systems actually enforce it. Many companies have policies on paper but allow weak passwords in practice.
How to Prevent ?
- Configure ALL systems to enforce password requirements (12+ characters, complexity)
- Require MFA for all users accessing production or customer data
- Use single sign-on (SSO) and password managers
- Take screenshots of system configurations as evidence
Timeline: 1-2 weeks
Exception 5. Incomplete Vendor Management
The Problem
Your SOC 2 scope extends to third-party vendors. Companies fail to properly assess, document, and monitor vendors who access systems or handle data.
How to Prevent ?
- Create complete vendor inventory (including cloud providers)
- Request SOC 2 reports from critical vendors annually
- Conduct security assessments for vendors without SOC 2
- Include security requirements in all vendor contracts
Timeline: 3-4 weeks
Exception 6. Missing Security Awareness Training
The Problem
SOC 2 mandates security awareness training for all employees. Training must be documented, tracked and completed annually by everyone including contractors.
How to Prevent ?
- Deploy training platform (KnowBe4, SANS, Proofpoint)
- Enroll ALL employees and contractors
- Cover: phishing, passwords, data handling, incident reporting
- Track completion with platform reports
Timeline: 2-3 weeks
Exception 7. Inadequate Incident Response Documentation
The Problem
You need both an incident response plan AND evidence you have tested it. Plans sitting in documents without testing do not satisfy auditors.
How to Prevent ?
- Create or update incident response plan
- Conduct annual tabletop exercises (document attendees, scenarios, outcomes)
- Use ticketing for real incidents (Jira, PagerDuty)
- Write post-incident reports for security events
Timeline: 2-3 weeks
Exception 8. Poor Evidence Organization
The Problem
Controls might exist, but if evidence is scattered, incomplete, or takes weeks to find, auditors assume controls do not exist.
How to Prevent ?
- Create centralized evidence repository (Google Drive, SharePoint)
- Organize by control domain or Trust Services Criterion
- Use consistent file naming (for example 2024-Q3-Access-Review.xlsx)
- Collect evidence throughout observation period, not at the end
Timeline: 1-2 weeks
Key Takeaways from these 8 common SOC 2 Control Exceptions
These 8 control exceptions account for approximately 70 percent of material findings in SOC 2 audits. They appear repeatedly because they involve fundamental controls that every company must implement.
The good news is that all 8 are preventable with proper planning and execution. They do not require expensive tools or massive teams. They require:
– Documented processes
– Consistent execution
– Systematic evidence collection
– Adequate lead time before the audit
At CountSure, we specialize in helping companies establish these exact controls and gather the evidence auditors need. Our offshore model provides experienced guidance at 60% less cost than traditional US consulting firms.
Ready to prevent these exceptions in your audit? Schedule a free consultation to discuss your specific situation.
Your 60-Day Exception Prevention Plan to avoid Qualified opinion in SOC Audit report
Month 1 (Days 1-30):
Week 1: Set up access request ticketing and complete first quarterly access review
Week 2: Order background checks for all in-scope personnel, select training platform
Week 3: Establish change management process in ticketing system
Week 4: Configure password policies and MFA enforcement across all systems
Month 2 (Days 31-60):
Week 5: Deploy security awareness training, create vendor inventory
Week 6: Request SOC 2 reports from critical vendors, organize evidence folders
Week 7: Update incident response plan, schedule tabletop exercise
Week 8: Conduct incident response tabletop, complete internal control testing
This 60-day sprint addresses the 8 most common exceptions. Start this at least 4 months before your observation period begins to allow time for controls to mature and be tested.
Frequently Asked Questions
There is no fixed number. One minor exception (example: one quarterly review 2 weeks late) might be acceptable. Multiple exceptions (example: missing background checks AND skipped access reviews AND no change management) will likely result in a qualified opinion due to pervasiveness. Focus on preventing all of them rather than calculating acceptable limits.
Partially. You can fix documentation issues quickly (organize evidence, gather missing documentation). However, you cannot retroactively prove controls operated during the observation period if they did not. For example, if you did not conduct quarterly access reviews, you cannot go back and create them. This is why prevention before the observation period is critical.
Technically yes, but most enterprise prospects require a clean opinion before signing contracts. A qualified opinion signals deficiencies and significantly hurts your ability to close new business.
Minor issues: 30-60 days. Significant problems: 3-6 months. Issues requiring re-establishing controls over time: 6-12 additional months.
Disclaimer
This article provides general guidance based on common SOC 2 audit practices. Specific audit requirements may vary by auditor and scope. The information is for educational purposes and does not constitute professional advice. We recommend working with a qualified CPA firm for guidance specific to your audit.
Parth Shah, Managing Director
(CPA-US, FCA, RV-S&FA, DISA)
Parth Shah who is head of Accounts and Book keeping has experience of more than 10 years. A Certified Public Accountant – US, fellow Chartered Accountant, Registered Valuer and Diploma in Information System Audit.
