In a SOC 2 audit, your auditor will do a review of all your controls and documentation and how they stack up against the trust services criteria you’re being evaluated on. Ideally, this review leads to an unqualified opinion — meaning you’ve passed the audit and are officially SOC 2 compliant.
The one thing that can get in the way of a positive SOC 2 compliance report and lead to a qualified or adverse opinion is audit exceptions. These are irregularities or mishaps in your systems that need to be remedied before you can be listed as compliant. In this article, we’re exploring what SOC 2 audit exceptions are, what it means for your SOC 2 compliance journey, and how you can avoid them.
What Is a SOC 2 Audit Exception?
In a SOC 2 report, an audit exception is any situation in which a control was not established appropriately or did not work as intended.
Let’s say, for instance, that one of your controls is that every employee uses multi-factor authentication to log into work applications. If the auditor discovers that this isn’t actually true, and that 20% of your employees aren’t compliant with this policy, that would have to be identified as an exception. This would be an example of an operating effectiveness exception. (More on that below.)
The most common types of exceptions that we’ve seen in audits include:
System Description Misstatements
These exceptions are based on errors or omissions in how a service or system is described. Regardless of whether these misstatements are intentional or innocent mistakes, they will be marked as exceptions in the audit report.
An example of a system description misstatement would be if you report that every new employee goes through a policy review during their onboarding, but that process isn’t actually enforced.
Deficiencies in the Design of Controls
An exception that points to a design deficiency is usually identifying a necessary control that is either poorly designed and ineffective, or missing entirely. For instance, if you were to have a control that’s meant to conduct access reviews for certain applications, but the list of users to review access for isn’t complete, that’s a design deficiency. This is because it’s not designed to include all users, so there could be missed access requests.
Issues in the Operating Effectiveness of Controls
Operating effectiveness exceptions occur when a control doesn’t operate in the way it should. For example, if there’s a control in place for confirming that users have installed a password manager like LastPass, but 40% of the company hasn’t downloaded the password manager and has faced no consequences, that would lead to an exception.
What Does It Mean to Get an Audit Exception?
Getting an audit exception doesn’t necessarily mean you’ve failed your audit. As you may know, there are four types of auditor opinions you can get following your SOC 2 audit. These include unqualified (a pass with no exceptions), qualified, adverse, or disclaimer of opinion. A qualified opinion means you’re close, but not all systems pass, and adverse means there’s still work to be done. The disclaimer of opinion happens when there isn’t enough evidence to make a clear opinion.
The good news is that not all exceptions will impact the auditor’s opinion. If one control fails, but there are compensating controls that can mitigate the risk and meet the criterion, the auditor will most likely note the control as an exception. The criterion is still being met with the compensating controls, and therefore warrants an unqualified opinion.
There are a lot of nuances here. It will depend on the number, level of impact, and severity of the exceptions whether they impact the auditor’s opinion.
How to Avoid SOC 2 Audit Exceptions
Exceptions may seem like a scary part of the SOC 2 journey, especially since getting your report takes significant time and investment, but it doesn’t have to be. There are many things you can do to reduce the risk of exceptions. These include:
- Automating as much as you can. As we’ve outlined above, it’s pretty easy to introduce human error into your compliance efforts. Introducing automation can ensure that all the controls and rules you set up are executed automatically, and any non-compliance can be identified quickly.
- Monitoring everything. Implement an automated monitoring system that tracks compliance and flags any potential issues early on.
- Having a compliance lead. Make sure there’s someone responsible and accountable for ensuring that your controls are effective. This could also be a compliance advisory team (like Marana) that you hire and put in charge of the SOC 2 compliance project.
- Choose the right auditor. At best, your SOC 2 auditor should be a partner. They should be open to sharing best practices and potential pitfalls so you can better set your team up for success.
- Educating your teams. Compliance is a team activity. The more informed your teams are, the better able they will be to remain compliant across the board.
Adopting these practices will help mitigate your exposure to exceptions, and set you up for success by the time you’re ready to run your audit.
At Marana, we take a comprehensive approach to helping companies achieve SOC 2 compliance. Keen to learn more about how we do it? Let’s chat.