SOC 2 audit exceptions are not failures in the binary sense, but they are disclosed in your report for every reader to see. Enterprise security teams reviewing your SOC 2 report will flag exceptions and may require remediation evidence before approving your service. Here are the 12 findings we see most frequently and how to prevent them.
The 12 Most Common Findings
1. Incomplete user access reviews
Access reviews must be performed at the frequency your policy specifies, typically quarterly. The most common exception is missing one or more quarterly reviews during the observation period, or performing reviews without documenting the results and remediation of inappropriate access.
2. Missing or outdated policies
Policies must exist, be approved by management, communicated to employees, and reviewed at least annually. Finding a policy that was last updated three years ago, or discovering that a required policy simply does not exist, results in an exception.
3. Inadequate change management
Changes to production systems must be documented, tested, approved, and reviewed. Code deployed directly to production without a pull request, code review, or approval process creates exceptions. Even a single uncontrolled deployment during the observation period is reportable.
4. Missing background checks
If your policy requires background checks for new hires, every hire during the observation period must have a documented check. Missing checks for contractors, international employees, or employees who started before the policy was implemented are common gaps.
5. No vendor risk assessments
Critical vendors, especially cloud infrastructure providers and data processors, must be assessed for security. Many organizations use AWS or Azure without ever reviewing their SOC 2 reports or documenting the vendor risk assessment.
6. MFA not enforced
MFA must be enforced, not just available. If your policy requires MFA for all production access and any account is found without MFA enabled, that is an exception. Service accounts without MFA often trigger this finding.
Findings 7-12
7. Insufficient logging
Audit logs must capture security-relevant events and be retained per policy. Gaps in log collection, missing log sources, or retention shorter than your stated policy period are findings.
8. No incident response testing
Your incident response plan must be tested at least annually through tabletop exercises or simulations. Having an untested plan is a common exception.
9. Encryption gaps
Data at rest and in transit must be encrypted per your policy. Unencrypted database backups, S3 buckets without server-side encryption, or internal services communicating over HTTP are findings.
10. Missing security awareness training
All employees must complete security awareness training, typically annually. Missing training records for new hires or employees who missed the annual training cycle create exceptions.
11. Incomplete asset inventory
System components in scope must be inventoried and classified. Shadow IT, undocumented servers, or unknown SaaS applications used by employees create gaps.
12. No business continuity testing
If Availability is in your SOC 2 scope, your business continuity and disaster recovery plans must be tested annually. Untested plans or failed tests without documented remediation are findings.
Prevention strategy: Conduct a readiness assessment before your observation period begins. Address all identified gaps before the clock starts. It is much easier to fix a gap before the observation period than to explain an exception in your report.
Need security testing or compliance support?
We provide penetration testing, compliance assessments, and security consulting for organizations at every stage.
