February 28, 2024

What Are SOC 2 Audit Exceptions?

Devon Lane
Content writer
at Flowbase

In a SOC 2 audit, your auditor will do a review of all your controls and documentation and how they stack up against the trust services criteria you’re being evaluated on. Ideally, this review leads to an unqualified opinion — meaning you’ve passed the audit and are officially SOC 2 compliant.

The one thing that can get in the way of a positive SOC 2 compliance report and lead to a qualified or adverse opinion is audit exceptions. These are irregularities or mishaps in your systems that need to be remedied before you can be listed as compliant. In this article, we’re exploring what SOC 2 audit exceptions are, what it means for your SOC 2 compliance journey, and how you can avoid them. 

What Is a SOC 2 Audit Exception?

In a SOC 2 report, an audit exception is any situation in which a control was not established appropriately or did not work as intended.

Let’s say, for instance, that one of your controls is that every employee uses multi-factor authentication to log into work applications. If the auditor discovers that this isn’t actually true, and that 20% of your employees aren’t compliant with this policy, that would have to be identified as an exception. This would be an example of an operating effectiveness exception. (More on that below.) 

The most common types of exceptions that we’ve seen in audits include: 

System Description Misstatements

These exceptions are based on errors or omissions in how a service or system is described. Regardless of whether these misstatements are intentional or innocent mistakes, they will be marked as exceptions in the audit report. 

An example of a system description misstatement would be if you report that every new employee goes through a policy review during their onboarding, but that process isn’t actually enforced. 

Deficiencies in the Design of Controls

An exception that points to a design deficiency is usually identifying a necessary control that is either poorly designed and ineffective, or missing entirely. For instance, if you were to have a control that’s meant to conduct access reviews for certain applications, but the list of users to review access for isn’t complete, that’s a design deficiency. This is because it’s not designed to include all users, so there could be missed access requests. 

Issues in the Operating Effectiveness of Controls

Operating effectiveness exceptions occur when a control doesn’t operate in the way it should. For example, if there’s a control in place for confirming that users have installed a password manager like LastPass, but 40% of the company hasn’t downloaded the password manager and has faced no consequences, that would lead to an exception. 

What Does It Mean to Get an Audit Exception? 

Getting an audit exception doesn’t necessarily mean you’ve failed your audit. As you may know, there are four types of auditor opinions you can get following your SOC 2 audit. These include unqualified (a pass with no exceptions), qualified, adverse, or disclaimer of opinion. A qualified opinion means you’re close, but not all systems pass, and adverse means there’s still work to be done. The disclaimer of opinion happens when there isn’t enough evidence to make a clear opinion.

The good news is that not all exceptions will impact the auditor’s opinion. If one control fails, but there are compensating controls that can mitigate the risk and meet the criterion, the auditor will most likely note the control as an exception. The criterion is still being met with the compensating controls, and therefore warrants an unqualified opinion. 

There are a lot of nuances here. It will depend on the number, level of impact, and severity of the exceptions whether they impact the auditor’s opinion. 

How to Avoid SOC 2 Audit Exceptions

Exceptions may seem like a scary part of the SOC 2 journey, especially since getting your report takes significant time and investment, but it doesn’t have to be. There are many things you can do to reduce the risk of exceptions. These include: 

  • Automating as much as you can. As we’ve outlined above, it’s pretty easy to introduce human error into your compliance efforts. Introducing automation can ensure that all the controls and rules you set up are executed automatically, and any non-compliance can be identified quickly.
  • Monitoring everything. Implement an automated monitoring system that tracks compliance and flags any potential issues early on. 
  • Having a compliance lead. Make sure there’s someone responsible and accountable for ensuring that your controls are effective. This could also be a compliance advisory team (like Marana) that you hire and put in charge of the SOC 2 compliance project. 
  • Choose the right auditor. At best, your SOC 2 auditor should be a partner. They should be open to sharing best practices and potential pitfalls so you can better set your team up for success.
  • Educating your teams. Compliance is a team activity. The more informed your teams are, the better able they will be to remain compliant across the board.

Adopting these practices will help mitigate your exposure to exceptions, and set you up for success by the time you’re ready to run your audit. 

At Marana, we take a comprehensive approach to helping companies achieve SOC 2 compliance. Keen to learn more about how we do it? Let’s chat.

We’re here to help.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt.

Get Started
LEARN MORE!
Responsive Components
Responsive Components
Responsive Components
Hey! Have any questions?

Frequently Asked
Questions

What type of compliance standard can you help with?

We help our clients based on their needs. The majority of our contracts involve SOC-2, HIPAA, and most recently GDPR. Feel free to ask us if we can help with your particular case. If we aren't able to, we can most likely recommend you to someone who can.

How long does a SOC 2 engagement usually take?

We move as fast as our clients are able to make progress. Our fastest client to date got their SOC-2 Type I four months after signing our engagement letter. That record is up for grab if you are up for it.

In our experience however, it takes 6-9 months to achieve a SOC-2 Type I,  and 3-6 additional months to obtain a SOC-2 Type II report.

Which standard do you follow for your security policies?

All of our security policies follow the ISO-27001 standard. The Confidentiality, Integrity, and Availability standards cover the range of standards we like to work with for SOC 2.

Why do we have to become SOC 2 compliant if we are relying on AWS which is already compliant?

SOC 2 stands for Service Organization Control, meaning your clients are interested in understanding your controls, not your hosting provider’s control. As part of your vendor assessment we recommend reviewing AWS’ SOC 2 report, but relying on their report is not enough to become SOC 2 compliant.

Who is behind SOC 2?

The American Institute of CPAs. The AICPA is an established and respected organization that provides two forms of audits to companies that demonstrate evidence of a secure data-protection infrastructure. A Type I is a point in time audit that addresses the company’s description of its system, the suitability of the system’s design, and the effectiveness of its internal data controls. A Type II report happens over a period of time and emphasizes design and also focuses on the validity of the company’s controls.

Are SOC 2 reports a legal obligation?

No, but most enterprise level organizations that engage with sensitive data (again, almost all of them) have an obligation to their stakeholders to prove due diligence regarding data security, which means they’ll want to vet their service providers using this tool. SOC 2 can help these prospective service providers set themselves apart from the competition. Just as important, a SOC 2 report represents a meaningful and respected signifier of trust.

What can happen to a company without a SOC 2 report?

A lack of a SOC 2 report won’t result in legal problems, but it can and will limit outside assessments of the company’s commitment to data security. When large-scale clients look for providers, or large-scale backers look for a likely return on their investment, they don’t want concerns about security to stand in the way. Trust is a chain made of links that have each been put the test and have proven their ability to withstand pressure and scrutiny. Company leaders are wise to let SOC 2 auditors apply this pressure so their clients and backers don’t have to.

When is it too late for a SOC 2 audit?

Never. Even companies that have been in business for years but have never obtained a SOC 2 report can—and should—take steps in this direction now. Being compliant with SOC 2 can open the door to a broader base of more significant clients and larger contract opportunities. That being said, startups in the threshold of the marketplace, and new business owners who hope for an eventual public offering, should obtain a SOC 2 report during the development and financing process. By the time the company approaches Series B and C fundraising rounds, a report should be in hand.

How complicated is the auditing process?

The auditing process can be easy, or complicated depending on your level of preparation.

Preparing for the audit can take some time, attention, and the guidance of reliable data security experts. Don’t leave any part of this process to chance. Approach SOC 2 compliance one step at a time, and start by contacting a consulting firm with track record of experience in your area of the marketplace.

Home
Resources
Contact
Raze™ All Rights Reserved, 2022.
Style Guide
Licence
Changelog