What are SOC 2 audit exceptions?

Despite being prepared to go through the SOC compliance procedure, many companies and organisations doing it for the first time have a fear of failure. We can say it’s rightfully present because there are many reasons your audit could fall through.

Certain exceptions can affect you and your company during the observation period. These are pretty common to overlook, especially as a beginner. So, before jumping straight into what they are, let’s find out what an audit exception is.

What do you mean by an audit exception?

Any instance where a control design fails to be established as intended or operates ineffectively is known as an audit exception.

Before we begin to understand what audit exceptions are and how they can be avoided, we want to one very frequently encountered question out of the way.

Does receiving an exception from the auditor imply that my audit has failed?

The answer is a big NO. Receiving an exception does NOT necessarily mean that an audit has failed. You can still be SOC 2 compliant, with clear action points to address the exceptions.

If you receive a Qualification in your report, though, that is considered much more adverse, and could lead to a failed audit. We shall talk about Qualifications in a separate blog.

How do exceptions appear in the CPA’s report?

Before looking for options to achieve GDPR compliance, you should know the following 10 facts. We outlined all the minute elements of GDPR that most people could overlook and condensed it into an easily understandable format so that you understand the what, why, and how of GDPR.

ControlsTest ProceduresTest Result
IT system access is reviewed on a quarterly basis.Inspected the information security policies containing access controls to determine that these are documentedExceptions Noted
Access review for a sample of the quarter was not available during the audit.

Management Response
The access review process will be followed rigorously on a quarterly basis.
The use of removable media is prohibited by policy expert when authorized by managementInspected settings for removable mediaExceptions Noted
USB drives for a sample of systems were not blocked.

Management Response
We have planned to get USB drives blocked for all systems by August 2022.
Signature files are updated daily. Antivirus console provides compliance reports about non-updated machines. Inspected a query report from the console showing not updated computers and determined that there were no such cases.

Inspected the antivirus/firewall console for configuration details about updating and alerts.
Exceptions Noted
For a sample of systems during the audit the antivirus was not installed.

Management Response
We have planned to get antivirus installed on all systems by August 2022.

What is a management response to an exception?

Management response to an exception is essentially a response by a company’s management that indicates how an exception has been addressed – either in the form of a mitigation step or a justification for accepting the risk.

Types of exceptions in audits

To simplify the concept of audit exceptions further, we have compiled the three most common types of exceptions that come up during audit review. They are:

  1. Misstatements in system description
    Any error or omission in how you describe your company’s systems and processes is known as a misstatement. This could either be intentional, like leaving out a part of the system on purpose, or unintentional, like forgetting to update the changes you’ve recently made in the system. Either way, it will be received as a misstatement on your part. For instance, if you claim that all your new employees have been taught about security training, but in reality, they aren’t, and the auditor finds it out, it will be a misstatement.
  2. Deficient design controls
    When required controls are missing, an essential part of an existing control is not properly designed, highlighting its ineffectiveness; it is an exception. This is known as a deficiency in design controls. For instance, if you have a designated control for performing access reviews in place for the primary applications, the process meant for obtaining user lists to perform reviews doesn’t include all users. It would be labelled as a design deficiency.
  3. Lack of operative effectiveness
    The lack of operative effectiveness is considered to be an exception because the controls do not perform as expected. Let’s say you have the controls in place necessary for performing background checks on new employees or hires. Now while the auditor is reviewing your application, he finds out that your organisation did not review half of the new hires under this control. Therefore, there is an operating effectiveness exception.

Reasons behind audit failure

We’ve had our fair share of dealing with SOC 1/SOC 2 audits to know exactly the kind of mistakes one is prone to make. Many of these audit exceptions can create a less secure environment that can threaten to hinder your organisation’s reputation. However, every organisation differs in nature, so you cannot guarantee what works for someone may work for you as well.

There are certain reasons you can study beforehand, though, to ensure that you do not commit the same mistakes yourself.

  1. Insufficient communication and education
    The act of succinctly sharing information with all your colleagues and employees is very important in the audit compliance process. If your employees will not be aware of what SOC 1/SOC 2 audit includes, how will they be able to communicate the same when questioned by the auditor? The policies and programs meant to impose security control will only function if they are handled by someone who has received proper training. Data breaches in organisations can happen even if a single person fails to follow the defined protocols. For example, if you have restricted your employees from downloading software from the net, but one of your employees failed to gather that information and downloaded malicious software, subsequently harming your company’s security. Therefore, educating and training your employees is very vital for maintaining SOC compliance.
  2. Deficiency in the scope of Audit
    Performing an audit scope is one of the first steps that need to be taken in the audit compliance process. If your organisation specialises in offering only one service, this step is much easier than if your organisation offers different services. Mitigating and identifying the risks involved with all those services is crucial, as any lack or mistake in even one department can cost you time and money. Even your customers may refuse to accept a report that is not properly scoped. This process of scoping the audit begins with identifying the people, the processes, and the systems that support a particular service. Then you need to identify the risks that are involved with it and design security measures that will control those risks from actualizing.
  3. Failure to perform Risk Assessment or Readiness Assessment
    Audit exceptions are like loopholes that were missed during the scope, design, and implementation of security controls. What’s the best way to understand the audit exceptions? Performing a readiness assessment. In cases where you fail to perform a RA, you may be missing an opportunity to conduct a ‘trial audit,’ and it could prevent you from finding out the mistakes in your systems before moving to the final audit. This could be done by an external auditor/firm or internally as well, just to check how prepared you are for a SOC 2 compliance audit check. The aim of performing readiness assessments is to determine the gaps in your organisation so that you can remedy those deficiencies.
  4. Unauthorised internal controls
    If you are waiting for an auditor to come and guide you through the process of monitoring your systems and programs, then you are not ready for the SOC 2 Type II audit. It is very important to have both manual and automated controls in a place overlooking the functioning of your designed controls, especially if employee turnovers, changes in systems, and configurations are involved. In case of failure, you can have serious consequences like a data breach of private information on your hands. Therefore, it is critical that you assign ways of controlling and monitoring your systems, internally and externally. But who should be responsible for monitoring the controls? Ensure that the person you delegate the responsibility to is authorised and identified.

5 Ways you can avoid audit exceptions

Now that we’ve addressed the common reasons as to why audit exceptions occur, let’s also learn about five ways we can successfully avoid these exceptions during our audit compliance procedure.

  1. Automate monitoring
    Ensuring there is security throughout your company can be a challenging task, which is why we strongly recommend you perform regular automation. Automate everything from monitoring, HR processes, technical checks, and ensure that the alerts are designed to notify you whenever there is an identified error. You must select a compliance automation solution that provides the highest level of automation. GRC tools like Scrut Automation help manage continuous monitoring of Infosec compliance, schedule a free call to know more.
  2. Company-wide monitoring
    Company-wide monitoring is as critical as it gets to ensure your compliance does not fall through. Continuous monitoring of all your systems will notify you of any possible risk as soon as it is identified, which is why it is one of the most vital preventive measures. Setting up automation for evidence collection, monitoring data, and notifying can be easily done by partnering up with us at Gomigo.
  3. Assign duties
    When everyone in your company is responsible for SOC 2, then it won’t be easy to authorise who takes care of what. We can agree that it is very important to have every team in your company on board and knowledgeable about the compliance procedure; it is also very important to have one or two authorised people responsible solely for monitoring, checking, and keeping track of things like alerts or policy changes that can impact your SOC 2. They must be a clearly specified program manager who has defined roles and responsibilities where SOC 2 is concerned.
  4. Start with a Type I audit for better understanding
    Type II audit generally takes 6 months to be completed, and while this process is underway, you have to provide your customers with some assurance on security controls that you have in place. This is why we suggest you should start with a Type I audit to provide your customers and partners a better understanding of all the security controls you have in place, along with the principles you’ve identified that apply to you.
  5. Employee training
    Last but not least is training your teams. Company-wide training for new hires, colleagues, employees is very crucial in maintaining SOC compliance.


These mistakes or exceptions can occur at any stage; the only way any organisation can aim to control them is by following the right security protocols and ensuring that all their employees are clinically trained with the right information. Constant monitoring will help you assess any loopholes you may have in your security controls.

Scrut Automation is an innovative and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Related Posts

The SOC 2 audit process can be intimidating. It is definitely time-consuming, […]

Whether you’re implementing a new GRC program or improving your existing one, […]

A SOC 2 compliance audit, however daunting and challenging, is necessary for […]