Common SOC 2 Audit Exceptions and How to Avoid Them

Exceptions are the part of the SOC 2 process that service organizations fear most — and understand least. The word sounds serious. Buyers notice them. Sales teams worry about them. And yet, in practice, minor exceptions are common in first-time SOC 2 engagements, well-managed exceptions rarely affect deal outcomes, and the organizations that handle exceptions best are those that understand exactly what they are and how they are assessed.

SOC 2 audit exceptions are documented findings where CertPro CPA LLC’s testing reveals that a control did not operate as described during the observation period. They are not failures of the organization — they are findings that require documentation, assessment, and response. A SOC 2 report with minor, well-explained exceptions from a rigorous CPA firm like CertPro CPA LLC is more credible than a report with no exceptions from an auditor who did not look hard enough.

This guide from CertPro CPA LLC explains exactly what SOC 2 audit exceptions are, how they are classified, which controls most commonly produce them, how buyers assess them, and — most importantly — how to prevent them through operational disciplines that start well before fieldwork begins.

Tl; DR:

Concern: With SOC 2 audit outcomes directly affecting enterprise sales, service organizations find it hard to understand what exceptions actually mean — whether they disqualify a report, how buyers assess them, and which control failures most commonly produce them.
Overview: SOC 2 audit exceptions are documented findings where a control did not operate as described during the observation period — classified by the licensed CPA firm conducting the examination under AICPA standards based on their nature, frequency, and potential impact on the overall opinion.
Solution: Service organizations should understand what exceptions are, how auditors classify them, which controls generate the most exceptions in practice, and how to build the operational disciplines that prevent exceptions from appearing in their SOC 2 report in the first place.

Common SOC 2 Audit Exceptions and How to Avoid Them

A SOC 2 audit exception is a finding documented by CertPro CPA LLC in Section 4 of the SOC 2 report where testing revealed that a control did not operate as described during the observation period. Exceptions are a normal part of the SOC 2 process — particularly in first-time engagements — and their significance varies enormously depending on which control failed, how often it failed, and what the downstream impact was.

Understanding exceptions begins with understanding what they are — and what they are not.

What is a SOC 2 Audit Exception?

An exception occurs when CertPro CPA LLC tests a control and finds evidence that it did not function as documented. The control may have been performed inconsistently, performed by the wrong person, performed outside the required timeframe, or not performed at all during specific instances within the observation period.

What an exception is not:

An exception is not evidence that the service organization’s entire security programme has failed. It is not a disqualifying finding that automatically prevents report issuance. It is not evidence of a data breach or a security incident — though a security incident may itself be documented as an exception if the incident response control did not operate as designed.

What an exception is:

An exception is a specific, documented finding that a specific control, in specific instances, did not operate as described. CertPro CPA LLC documents it with sufficient detail for readers to understand its nature, assess its significance, and determine whether it affects their reliance on the service organization’s controls.

The exception documentation in Section 4 of the SOC 2 audit report follows a consistent structure: Control description (what the control is supposed to do), Test applied (what CertPro CPA LLC did to test it), Exception found (what the testing revealed, including frequency), and Management response (the service organization’s explanation and any corrective action taken).

How Exceptions Affect the Auditor’s Opinion

Not every exception affects the auditor’s opinion in the same way. CertPro CPA LLC evaluates exceptions based on their nature, frequency, and potential impact to determine whether they affect the overall opinion issued in Section 1 of the SOC 2 report.

Unqualified opinion with exceptions — the most common outcome for reports that contain minor exceptions. CertPro CPA LLC issues an unqualified opinion — meaning the controls met the applicable Trust Services Criteria overall — while documenting the specific exceptions in Section 4. This is possible because individual control exceptions do not necessarily mean the overall control environment failed to achieve the criteria.

Qualified opinion — issued when exceptions are material enough that the controls in a specific area did not meet the applicable criteria — but the overall control environment met the criteria in all other areas. A qualified opinion identifies the specific criteria affected and the nature of the qualification.

Adverse opinion — issued when exceptions are pervasive enough that the overall control environment did not meet the applicable criteria. Adverse opinions are rare and almost always avoidable with adequate readiness assessment and control implementation before the observation period begins.

The vast majority of SOC 2 reports — including those with documented exceptions — carry unqualified opinions. The presence of exceptions does not prevent an unqualified opinion; it is the materiality and pervasiveness of those exceptions that determines the opinion type.

The Most Common SOC 2 Audit Exceptions

Based on CertPro CPA LLC’s examination experience across SOC 2 engagements in multiple sectors, the following control areas generate the highest frequency of exceptions. Understanding these patterns is the most practical guide to prevention.

1. Access Review Exceptions

Access reviews are periodic examinations of which users have access to which systems — designed to identify and remove accounts that are no longer authorized. Exceptions occur when reviews are missed or delayed, terminated employee accounts remain active past the required deadline, or privileged access is granted without following the documented approval process.

Why they are common: Access reviews require consistent, timely execution across every user lifecycle event throughout the observation period. In organizations with high personnel turnover, rapid growth, or manual access management processes, maintaining perfect execution across every instance is operationally demanding.

How to prevent them: Automate account deprovisioning where possible, build access review reminders into the compliance calendar with clear ownership, maintain a real-time log of provisioning and deprovisioning actions, and conduct internal access reviews quarterly in a format that mirrors what CertPro CPA LLC will test.

2. Security Awareness Training Exceptions

SOC 2 requires that all personnel receive security awareness training on a defined periodic basis. Exceptions occur when training is not completed by all required personnel within the defined timeframe, new hires miss onboarding training, or completion records are not maintained in testable form.

How to prevent them: Use a learning management system that generates automated completion reports, set automated reminders that escalate to managers when training is overdue, and include new hire training completion in the onboarding checklist with a defined deadline.

3. Vulnerability Management Exceptions

Vulnerability management controls require scanning on a defined schedule and remediation within defined timeframes by severity. Exceptions occur when scans are missed, critical vulnerabilities are not remediated within the defined window, or risk acceptances are not formally documented.

How to prevent them: Set realistic remediation timeframes reflecting actual operational capacity, integrate vulnerability remediation into engineering workflows, and document risk acceptance decisions formally with approval, rationale, and a defined review date.

4. Change Management Exceptions

Change management controls require all production changes to be approved before implementation. Exceptions occur when changes are deployed without following the documented approval process, emergency changes lack retroactive documentation, or the change log contains gaps.

How to prevent them: Integrate change management requirements into the deployment pipeline, define a clear emergency change process with retroactive approval within 24 hours, and conduct monthly change management reviews to identify any deployments not accounted for in approved records.

5. Vendor Risk Assessment Exceptions

Vendor risk management controls require periodic assessment of third-party providers. Exceptions occur when assessments are not completed for all in-scope vendors, a vendor’s SOC 2 report expires without renewal, or new vendors are onboarded without required security assessment.

How to prevent them: Maintain a vendor inventory with assessment due dates and assigned owners, set automated reminders when vendor assessments approach renewal, and require vendor security assessments as a condition of contract renewal.

6. Incident Response Exceptions

Incident response controls require detection, response, documentation, and recovery following a defined procedure. Exceptions occur when incidents are not logged, the response procedure is not followed, post-incident reviews are missed, or alert fatigue causes genuine alerts to be dismissed without investigation.

How to prevent them: Conduct tabletop exercises before the observation period begins, require all incidents to be logged in the incident management system, and define clear thresholds for what constitutes a reportable incident.

7. Logical Access Control Exceptions

Logical access controls govern authentication — including MFA requirements, password policies, and session management. Exceptions occur when MFA is not enforced for all required systems, password policies are inconsistently applied, shared accounts are used in violation of policy, or privileged accounts lack additional authentication requirements.

How to prevent them: Conduct a comprehensive access configuration review before the observation period begins, enforce MFA through centralized identity management, and review access configurations as part of the change management process whenever new systems or integrations are added.

How Buyers Assess SOC 2 Exceptions

Sophisticated enterprise buyers do not treat exceptions as binary disqualifiers. They assess each exception on its merits, asking the questions that determine whether the exception represents a real risk to their business:

What control failed? An exception in a peripheral administrative control is less significant than an exception in a core security control like access management or incident response.

How often did it fail? “In 1 of 52 instances tested” is very different from “In 12 of 52 instances tested.” Frequency signals whether the exception is isolated or systemic.

Was there any downstream impact? An exception that resulted in a security event, a data exposure, or a service disruption is more significant than one that caused no apparent harm.

Has it been remediated? A well-documented management response describing root cause analysis and corrective action demonstrates that the organization identifies problems and fixes them — which is itself evidence of a functioning compliance programme.

Is it a recurring exception? Buyers who receive multiple consecutive annual reports containing the same exception will question whether the organization is capable of sustaining the required control discipline. Recurring exceptions signal systemic weakness, not isolated failure.

For guidance on how buyers read and interpret the full SOC 2 report, see the detailed section breakdown in the SOC 2 Report article.

How to Prevent SOC 2 Audit Exceptions

Prevention starts before the observation period — with a structured SOC 2 readiness assessment that identifies control gaps and gives the service organization time to remediate before evidence collection begins. Controls that are not implemented and documented before the observation period starts cannot produce clean evidence during it.

Assign clear ownership — every control must have a named owner who understands their responsibility and performs the control on schedule. Controls without clear ownership are performed inconsistently.

Build evidence collection into operations — logs, records, completed forms, and system outputs generated during the observation period are what CertPro CPA LLC tests. Evidence that is assembled after the fact, or reconstructed from memory, does not satisfy the evidentiary requirements of an AICPA examination.

Conduct internal control reviews — periodic self-assessments during the observation period identify control failures early, allowing corrective action before CertPro CPA LLC’s fieldwork begins. A control failure that is identified and corrected internally is handled very differently in the report than one discovered by the auditor.

Maintain documented policies — every control must be described in a written policy or procedure that accurately describes how it operates. Controls performed differently from their documentation generate exceptions regardless of whether the actual performance was adequate.

Review the Common Criteria in detail — the Common Criteria define the baseline control requirements for every SOC 2 engagement. Understanding what each criterion requires, and mapping your controls to those requirements explicitly, is the most systematic approach to exception prevention.

Begin Your SOC 2 Examination with CertPro CPA LLC

CertPro CPA LLC is a licensed CPA firm that conducts SOC 2 examinations under AICPA AT-C Section 205. Our readiness assessment process identifies the control gaps most likely to produce exceptions — and our engagement management approach gives service organizations the time and guidance needed to remediate them before fieldwork begins.

Explore the full SOC 2 hub for detailed guidance on every aspect of the SOC 2 process.

Ready to begin? Contact CertPro CPA LLC to scope your SOC 2 engagement.

FAQ