SOC 26 min read

Common SOC 2 Audit Exceptions and How to Address Them

Even well-prepared organizations sometimes receive exceptions in their SOC 2 reports. Understanding common exceptions, and how to prevent them, helps you approach your audit with confidence.

Key Takeaways

Point Summary
Exceptions are normal Having some exceptions doesn't mean you failed
Prevention is better Most exceptions are preventable with proper preparation
Context matters How you address exceptions matters to customers
Remediation helps Showing you've fixed issues demonstrates maturity
Patterns matter Systemic issues are more concerning than isolated incidents

Quick Answer: SOC 2 exceptions are specific instances where controls didn't work as expected. Common exceptions include access review delays, missing change approvals, and incomplete offboarding. Most are preventable with proper processes and preparation.

What Are SOC 2 Exceptions?

An exception (sometimes called a "deviation" or "finding") is a specific instance where:

  • A control wasn't operating as designed
  • Evidence of control operation wasn't available
  • A process wasn't followed correctly

Exceptions are documented in Section 5 of your SOC 2 report (Tests of Controls and Results).

How Exceptions Affect Your Report

Impact on Opinion

Situation Likely Opinion
Few isolated exceptions Unqualified (clean)
Some exceptions, all addressed Unqualified with exceptions noted
Pattern of control failures May be qualified
Significant systemic issues Qualified or adverse

Most organizations with exceptions still receive unqualified opinions. The key is whether exceptions indicate systemic problems or isolated incidents.

Customer Perception

Customers reviewing your report will notice:

  • Number of exceptions
  • Nature of exceptions
  • Whether exceptions were remediated
  • Your response to identified issues

Most Common SOC 2 Exceptions

1. Access Management Exceptions

Access Reviews Not Completed on Time

What happens: Quarterly access reviews are required but weren't completed for one or more quarters.

How to prevent:

  • Set calendar reminders for review deadlines
  • Assign clear ownership for reviews
  • Use automation to facilitate reviews
  • Build buffer time before deadlines

Terminated User Access Not Promptly Removed

What happens: An employee left and their access wasn't removed within the required timeframe.

How to prevent:

  • Integrate offboarding with HR processes
  • Use automated deprovisioning where possible
  • Have clear offboarding checklists
  • Set short SLAs for access removal

Missing Access Approval Documentation

What happens: New access was granted but approval wasn't documented.

How to prevent:

  • Require ticket-based access requests
  • Configure systems to require approval workflow
  • Train team on access request procedures
  • Audit access provisioning regularly

2. Change Management Exceptions

Changes Deployed Without Approval

What happens: Code changes went to production without documented approval.

How to prevent:

  • Configure branch protection rules
  • Require pull request approvals
  • Use CI/CD gates that enforce approval
  • Train developers on change process

Missing Code Review Evidence

What happens: Changes were approved but code review wasn't documented.

How to prevent:

  • Require pull request reviews in your workflow
  • Configure GitHub/GitLab to require reviews
  • Archive review evidence automatically

Emergency Changes Not Properly Documented

What happens: An urgent fix was deployed without following normal process, but wasn't properly documented as an emergency change.

How to prevent:

  • Have a clear emergency change process
  • Document emergency changes retroactively
  • Review all emergency changes afterward

3. Security Operations Exceptions

Vulnerability Not Remediated Within SLA

What happens: A vulnerability was identified but wasn't fixed within your stated remediation timeframe.

How to prevent:

  • Set realistic remediation SLAs
  • Track vulnerabilities in ticketing system
  • Have escalation process for aging issues
  • Prioritize based on actual risk

Missing Security Monitoring Evidence

What happens: Auditors couldn't find evidence that security monitoring was active.

How to prevent:

  • Configure alerts to create tickets/records
  • Maintain security monitoring dashboards
  • Document monitoring coverage
  • Perform periodic monitoring reviews

Incident Not Documented

What happens: A security incident occurred but wasn't recorded per your incident response process.

How to prevent:

  • Train team on incident identification
  • Make incident reporting easy
  • Have clear incident thresholds
  • Review and document all potential incidents

4. Human Resources Exceptions

Training Not Completed

What happens: One or more employees didn't complete required security training.

How to prevent:

  • Track training completion automatically
  • Set reminders for approaching deadlines
  • Escalate incomplete training
  • Make training accessible

Missing Background Check

What happens: An employee was hired without completing a background check (or evidence wasn't available).

How to prevent:

  • Integrate background checks into hiring workflow
  • Maintain evidence of completed checks
  • Don't allow system access until checks complete
  • Audit hiring records regularly

Onboarding Documentation Incomplete

What happens: New hire security acknowledgments or training weren't documented.

How to prevent:

  • Use structured onboarding checklists
  • Require acknowledgments before system access
  • Track onboarding completion
  • Audit recent hires periodically

5. Vendor Management Exceptions

Missing Vendor Risk Assessment

What happens: A vendor handling customer data wasn't formally assessed.

How to prevent:

  • Maintain vendor inventory
  • Categorize vendors by data access
  • Require assessments for critical vendors
  • Review vendor list quarterly

Vendor SOC Report Not Reviewed

What happens: You rely on a vendor's SOC 2 report but didn't review it when received.

How to prevent:

  • Document vendor SOC report reviews
  • Create review checklist
  • Track vendor report expiration
  • Request updated reports proactively

6. Business Continuity Exceptions

Backup Restoration Not Tested

What happens: Backups were taken but restoration wasn't tested during the audit period.

How to prevent:

  • Schedule regular restoration tests
  • Document test results
  • Make testing part of routine operations

DR Test Not Conducted

What happens: Disaster recovery plans existed but weren't tested.

How to prevent:

  • Schedule annual DR tests
  • Document test procedures and results
  • Update plans based on test findings

Preventing Exceptions

Systematic Approaches

Automation

  • Automate evidence collection
  • Configure workflow enforcement
  • Use automated reminders

Documentation

  • Document processes clearly
  • Maintain evidence repositories
  • Create standard templates

Training

  • Train team on control requirements
  • Reinforce expectations regularly
  • Address gaps quickly

Monitoring

  • Track control operation
  • Identify issues early
  • Address before audit

Pre-Audit Review

Before your audit:

  • Review all recurring controls
  • Verify evidence is complete
  • Address any gaps proactively
  • Conduct internal testing

Addressing Exceptions in Your Report

During the Audit

If an exception is identified:

  • Understand exactly what occurred
  • Provide context to auditors
  • Show remediation if completed
  • Don't make excuses. Acknowledge and address

In the Report

How exceptions typically appear:

  • Description of control tested
  • Testing procedure performed
  • Exception identified
  • Your response or remediation

Customer Conversations

When customers ask about exceptions:

  • Acknowledge the finding
  • Explain context if relevant
  • Describe what you've done to address
  • Demonstrate process improvement

Exception Remediation

Immediate Actions

When an exception is identified:

  1. Understand root cause
  2. Fix the immediate issue
  3. Document the remediation
  4. Update processes to prevent recurrence

Long-term Improvements

To prevent future exceptions:

  • Address systemic causes
  • Update procedures
  • Improve training
  • Enhance monitoring
  • Automate where possible

The Bastion Approach

We help minimize exceptions through:

  • Pre-audit preparation - Identifying potential issues before auditors arrive
  • Process design - Building processes that naturally produce evidence
  • Continuous monitoring - Catching issues throughout the year
  • Evidence management - Ensuring documentation is complete and organized
  • Remediation support - Addressing any issues that arise quickly

Our goal is a clean report, and when exceptions do occur, demonstrating mature handling.

Questions about preparing for your SOC 2 audit? Talk to our team

Sources

← PreviousSOC 2 Readiness Assessment: Evaluating Your Starting PointNext →SOC 2 vs GDPR: Understanding the Overlap and Differences
Back to SOC 2 guides