The most common SOC 2 findings are access-control failures: incomplete or unretained user access reviews (CC6.3), orphaned accounts for terminated employees (CC6.3), and missing MFA on admin, production and CI/CD systems (CC6.1). Close behind are change-management approvals that bypass the ticketing system (CC8.1), untested incident response (CC7.4), and weak vendor oversight (CC9.2). Most are cheap to fix — but a Type II tests them across the whole period, so you also have to build a clean track record.
Key takeaways
- Access control is where most findings cluster. Stale access reviews, orphaned terminated-employee accounts, and missing MFA all map to CC6.1–CC6.3 and account for the bulk of first-year exceptions.
- One exception does not fail your audit. There is no numeric threshold; an exception only affects the opinion when it rises to a deficiency the auditor judges material or pervasive on that criterion.
- SOC 2 uses exception / deviation language, not SOX terms. “Significant deficiency” and “material weakness” are financial-reporting (SOC 1 / ICFR) terms; SOC 2 auditors distinguish design vs. operating-effectiveness deficiencies that drive a modified opinion.
- Findings live in Section 4, responses in Section 5. Exceptions appear in the auditor’s test-results matrix; your management response sits in the unaudited “Other Information” section. There is no “management letter” in a SOC 2 report.
How SOC 2 findings work: exception vs. deficiency vs. qualified opinion
SOC 2 is governed by the AICPA Trust Services Criteria, codified in TSP section 100 (the 2017 criteria with revised points of focus, 2022). The examination itself is performed by a licensed CPA firm under the attestation standards in SSAE 18, specifically AT-C section 205 — note that AT-C section 320 governs SOC 1, not SOC 2. Only the Security category (the Common Criteria, CC1 through CC9) is mandatory; Availability, Processing Integrity, Confidentiality, and Privacy are added when in scope.
When an auditor tests a control and finds it did not operate as described, the observation is an exception (also called a deviation). A single exception is not the same as a failed control. Finding one prompts the auditor to do more testing — expand the sample, look for compensating controls — and only then judge whether the control’s design or operation is insufficient to meet the criterion. That broader conclusion is a deficiency. Enough deficiency on a criterion, and the auditor cannot issue a clean opinion on it.
A word of caution on vocabulary that competitors routinely get wrong: the ladder “exception → significant deficiency → material weakness” borrows from internal control over financial reporting (SOX and SOC 1 under AT-C section 320). In SOC 2 attestation practice, auditors most often speak of exceptions/deviations and of design versus operating-effectiveness deficiencies that drive a modified opinion. Keep the SOC 1 terms out of SOC 2 conversations unless you are actually discussing financial-reporting controls.
| Term | What it means | What triggers it | Effect on the opinion |
|---|---|---|---|
| Exception (deviation) | One instance a control did not operate as described in the period | A sampled item fails the test | None by itself; prompts additional testing |
| Deficiency | Control design or operation is insufficient to meet the criterion | Exceptions accumulate, or a design gap is identified | May qualify the opinion on that criterion |
| Unqualified (clean) | Controls met the applicable criteria | No deficiencies that matter to the opinion | The report a buyer wants to see |
| Qualified | Met the criteria “except for” a specified area | A deficiency the auditor judges material on one criterion | Usable in procurement, but the exception is visible |
| Adverse | Controls did not meet the criteria | Deficiencies so pervasive the whole system fails | Rarely issued; a serious signal to buyers |
| Disclaimer | Auditor cannot form an opinion | Insufficient evidence, e.g. a missing management assertion | No assurance provided |
Most readers stop at three opinion types; there are four. The disclaimer of opinion is issued when the auditor cannot obtain sufficient appropriate evidence — the classic cause being a missing or inadequate management assertion — and it is worth knowing when you evaluate a vendor’s report.
Does one finding fail your SOC 2?
No. You cannot “fail” a SOC 2 audit the way you fail a pass/fail exam. A report can be issued with noted exceptions and still be perfectly usable in enterprise procurement. What matters is whether an exception rises to a deficiency that changes the auditor’s opinion on a criterion from unqualified to qualified. There is no fixed count that flips the switch — the auditor performs additional sampling when an exception surfaces and weighs its materiality and pervasiveness. Aim for clean, but a well-explained exception with a corrective action plan is not a deal-killer.
The three buckets auditors actually use
Before the symptom-level list, it helps to see the parent framework auditors apply. Every SOC 2 finding falls into one of three buckets, and knowing which one you are facing tells you whether the fix is a document, a design change, or a track record you have to rebuild over time.
| Bucket | What the auditor concluded | Typical fix |
|---|---|---|
| System description misstatement | The description of the system in the report does not match reality | Correct the description so it reflects what you actually do |
| Design deficiency | The control, even if operated perfectly, would not meet the criterion | Redesign the control; usually caught in a readiness assessment before fieldwork |
| Operating-effectiveness deficiency | The control is well designed but did not operate consistently in the period | Fix the process and produce a clean run of evidence — the slowest to remediate in a Type II |
The last bucket is the one that stings in a Type II: a design fix can happen overnight, but proving operating effectiveness requires the corrected control to run cleanly for the rest of the observation period.
The 12 most common SOC 2 findings, ranked
The ranking below reflects what we observe across first-year Type II engagements at Auditsuisse; it is auditor experience, not a published statistic. Each finding names its exact Common Criteria identifier so you can trace it back to the full SOC 2 controls list by Trust Services Criteria.
| # | Finding | TSC criterion | Typical root cause | The fix | Time to remediate |
|---|---|---|---|---|---|
| 1 | Incomplete or unretained access reviews | CC6.2 / CC6.3 | Review done informally, no reviewer sign-off retained | Run and evidence reviews on a defined cadence | 1 sprint |
| 2 | Orphaned accounts (terminated/transferred staff) | CC6.3 | Offboarding not tied to the HRIS termination event | Automate deprovisioning via SCIM; reconcile | Quick win |
| 3 | Missing or inconsistent MFA | CC6.1 | MFA gaps on cloud root, VPN, or CI/CD | Enforce MFA everywhere via the IdP / SSO | Quick win |
| 4 | Excessive privilege / no least privilege | CC6.1 / CC6.3 | Standing admin access, no role-based model | Right-size roles; introduce just-in-time access | 1 quarter |
| 5 | Change approvals bypassing ticketing | CC8.1 | Approvals live in Slack/DM, not the tracker | Require PR + ticket approval before deploy | 1 sprint |
| 6 | No evidence of testing / peer review | CC8.1 | Direct-to-prod pushes, no separation of duties | Branch protection + mandatory reviewer | 1 sprint |
| 7 | Untested or undocumented incident response | CC7.3 / CC7.4 | Plan exists on paper but never exercised | Run a tabletop; document the test | 1 sprint |
| 8 | Unremediated vulnerabilities / stale pen-test findings | CC7.1 | Scans run, findings not tracked to closure | SLA-driven remediation with evidence | 1 quarter |
| 9 | Weak vendor / subprocessor oversight | CC9.2 | No vendor risk reviews or SOC report collection | Vendor inventory + annual risk review | 1 quarter |
| 10 | Generic policies not matching practice | CC1 / CC5 | Templated policies never operationalized | Rewrite policy to match actual practice | 1 sprint |
| 11 | Missing or inconsistent logging/monitoring | CC7.2 | Logs not centralized or not reviewed | Centralize logs; alert on anomalies | 1 quarter |
| 12 | Backups / BCP-DR not tested | A1.2 / A1.3 | Backups configured but restores never verified | Perform and evidence a restore test | 1 sprint |
1. Incomplete or unretained access reviews (CC6.2 / CC6.3)
This is the single most frequently documented finding we see. The review often was performed — someone eyeballed the user list — but no reviewer sign-off, population, or date was retained, so it is unpresentable and generates an exception even though the control operated. CC6.2 covers registration and authorization of new users; CC6.3 covers modification, removal, and periodic review of access. The 2017 TSC says access should be reviewed periodically; it does not mandate a frequency. Many organizations define quarterly reviews for privileged access in their own policy — that is common practice, not an AICPA rule.
2. Orphaned accounts for terminated or transferred employees (CC6.3)
An active account belonging to someone who left the company — caught in an access sample — is a near-universal qualifying-type finding under CC6.3, which expects timely removal of access relative to the termination event. Transfers are just as risky: the person kept their old team’s access on top of the new. The fix is to tie deprovisioning to the HRIS termination event so it is automatic, not a manual afterthought. See the CC6.3 access removal control for what evidence auditors expect.
3. Missing or inconsistent MFA on admin, production, VPN and CI/CD (CC6.1)
Here is a nuance most competitors get wrong: MFA is not named as a control in the 2017 TSC text. The criteria speak in terms of authentication under CC6.1’s points of focus; auditors evaluate MFA as how you implement that authentication, not as a criterion in its own right. In practice, MFA gaps surface on cloud root/admin accounts, production consoles, VPN, and CI/CD pipelines — the systems teams forget when they only enforce it on the primary SSO app. Enforce it everywhere through the identity provider and the finding disappears.
4. Excessive privilege / no least-privilege enforcement (CC6.1 / CC6.3)
Standing admin rights that nobody uses day-to-day are a classic least-privilege and segregation-of-duties (SoD) finding. Auditors look for a role-based model and evidence that access matches job function. Just-in-time elevation and periodic entitlement reviews are the durable fix.
5. Change-management approvals that bypass the ticketing system (CC8.1)
CC8.1 governs change management. The finding arises when an auditor traces a sample of production changes and cannot find authorization or peer review in the system of record — typically because the approval happened in a Slack thread or a verbal “ship it” rather than the ticket. The fix is to make the ticket-plus-pull-request approval a hard gate before deployment.
6. No evidence of testing or peer review before deployment (CC8.1)
Related to #5: direct-to-production pushes with no separation between the developer and the deployer. Branch protection with a mandatory reviewer, plus a test/CI gate, produces the evidence auditors sample.
7. Untested or undocumented incident response (CC7.3 / CC7.4)
CC7.3 and CC7.4 cover evaluating and responding to security events. A polished incident-response plan that was never exercised is a finding waiting to happen. Run at least one tabletop exercise in the period and document it — who participated, the scenario, and the lessons captured.
8. Unremediated vulnerabilities and stale pen-test findings (CC7.1)
CC7.1 covers vulnerability detection. Running scans is not enough; auditors want to see findings tracked to closure against an SLA. Open, aging penetration-test findings with no remediation record are a common exception. Tie each vulnerability to a ticket and a due date.
9. Weak vendor / subprocessor risk oversight (CC9.2)
CC9.2 covers vendor and business-partner risk. Findings arise when there is no vendor inventory, no risk-tiering, or no collection of subprocessors’ own SOC reports. Our guide to vendor management for SOC 2 compliance covers the subprocessor oversight gaps auditors flag most.
10. Generic or unenforced policies not matching practice (CC1 / CC5)
Templated policies that describe controls the company does not actually operate are a CC1 (control environment) and CC5 (control activities) problem. Auditors test operating effectiveness against observed behavior, so a policy that overstates practice creates its own exception. Write the policy to match what you do.
11. Missing or inconsistent logging and monitoring (CC7.2)
CC7.2 covers monitoring for anomalies. Logs that are not centralized, not retained, or never reviewed generate findings. Centralize logging and alert on the events that matter.
12. Backups and BCP/DR not tested (Availability A1.2 / A1.3, if in scope)
If Availability is in scope, A1.2 and A1.3 expect tested recovery. Backups that are configured but whose restores are never verified are a common finding. Perform and document a restore test at least once in the period.
One more that reviewers frequently raise: complementary user entity controls (CUECs) and subservice-organization scoping. When your report relies on the customer to operate certain controls (CUECs) or carves out a subservice provider, gaps or omissions in how those are described become findings in their own right.
Access-control findings deep-dive
Because access control (CC6) produces the most findings, it deserves a closer look at exactly what the auditor asks for and how to prevent the exception with automation.
| Finding | Criterion | Evidence the auditor requests | Preventive automation |
|---|---|---|---|
| Orphaned account | CC6.3 | Termination date vs. account-disable date for a sample of leavers | SCIM deprovisioning from HRIS/IdP |
| Missing MFA | CC6.1 | MFA enrollment/enforcement config for each in-scope system | IdP conditional-access policy, no exceptions |
| Excessive privilege | CC6.1 / CC6.3 | Entitlement export mapped to job role | Role-based access + just-in-time elevation (IGA) |
| Stale access review | CC6.2 / CC6.3 | Signed, dated review with the population reviewed | Scheduled access-certification campaigns |
| Shared admin credentials | CC6.1 | Named-user attribution for privileged actions | SSO + individual accounts, vault for secrets |
Notice the recurring theme: most access findings are really evidence findings. The control operated, but the proof was not captured. Treat reviewer sign-off, dates, and populations as first-class artifacts — retain reviewer sign-off as evidence rather than discovering at fieldwork that a completed review is unpresentable.
Change-management findings deep-dive: tracing one change
To understand CC8.1 findings, walk through how an auditor tests a single production change. They pick a change from your deployment history and try to reconstruct its full lifecycle from your system of record:
First, was there a ticket or work item describing the change and its rationale? Second, is there a pull request with a peer review from someone other than the author — i.e., separation between developer and approver? Third, is there evidence the change was tested before it shipped? Fourth, does the deployment record match the approved change? If any link is missing — the approval was a Slack thumbs-up, or the author merged their own PR — that sampled change is an exception. Multiply that across a sample and you have a CC8.1 deficiency.
The durable fix is to make the system enforce the workflow: branch protection requiring a non-author reviewer, a required CI check, and a deploy gate that ties back to the ticket. Then the evidence is generated automatically every time, and there is nothing to reconstruct at fieldwork.
Where findings actually live in the report
Buyers and first-time issuers are often surprised by where an exception physically appears. A SOC 2 Type II report has a consistent structure, and findings do not float freely — they live in a specific section.
| Section | Contents | Audited? | Where findings appear |
|---|---|---|---|
| Section 1 | Independent auditor’s report and opinion | Yes | A qualification is stated here |
| Section 2 | Management’s written assertion | Yes (its absence causes a disclaimer) | — |
| Section 3 | Description of the system | Yes | Description misstatements |
| Section 4 | Auditor’s tests of controls and results | Yes | Exceptions/deviations appear here |
| Section 5 | Other Information provided by management | No — unaudited | Management’s response to exceptions |
Two things matter here. First, the exceptions themselves sit in Section 4, the test-results matrix — the heart of a Type II. Second, your written response to an exception goes in Section 5, “Other Information,” which is unaudited. That means you can explain and contextualize a finding, but the auditor does not vouch for your response. And to be precise about terminology: there is no “management letter” in a SOC 2 report — that is a financial-audit artifact. The management response lives in Section 5.
How findings differ in a Type I vs a Type II report
The same underlying gap shows up differently depending on the report type. This is worth understanding before you decide how findings differ between a Type I and Type II report.
| Report type | What is tested | How a finding manifests | Remediation window |
|---|---|---|---|
| Type I | Design of controls as of a single date | A design gap — the control would not meet the criterion even if operated | Fix before the “as of” date; often same day |
| Type II | Design plus operating effectiveness over a period | An operating-effectiveness gap — the control lapsed on some sampled dates | Must rebuild a clean record before period end |
This is why the Type II is harder to remediate mid-flight: fixing the control today does not erase the dates earlier in the period when it did not operate. Catching design gaps in a Type I or readiness pass first is the cheapest insurance.
Remediation quick-reference by tool
Most findings trace back to a specific system’s configuration. This table maps the tools you already run to the finding they typically produce and the concrete fix.
| System / tool | Common finding it produces | Config or process fix |
|---|---|---|
| Okta / Entra ID | Missing MFA, orphaned accounts | Conditional-access MFA everywhere; SCIM deprovisioning from HRIS |
| AWS / GCP / Azure | Root/admin without MFA, excessive IAM privilege | MFA on root; least-privilege IAM roles; access analyzer reviews |
| GitHub / GitLab CI | Changes without peer review or testing | Branch protection + required non-author reviewer + CI gate |
| Jira / Linear | Change approvals not in the system of record | Require an approved ticket linked to every deploy |
| HRIS (Workday, BambooHR) | Deprovisioning not tied to termination | Trigger IdP offboarding from the termination event |
How to evaluate a vendor’s SOC 2 exceptions
If you are on the receiving end — a security or procurement lead reviewing a vendor’s report — a few exceptions are not an automatic rejection. Read Section 4 for the nature of each exception, then read the vendor’s response in Section 5. Ask: is the exception on a criterion that matters to your data? Did management acknowledge it and describe a fix? Is it a one-off deviation or a pattern across the period?
Also check the dates. A report covers a stated period, and there is usually a gap between the period-end date and the day you are reading it. A vendor covers that gap with a bridge letter (or gap letter) — a management-signed statement that nothing material has changed. It is a representation, not auditor-tested assurance, so industry practice limits it to roughly 90 days, and any open exception should be represented honestly in it. A bridge letter can never substitute for a fresh Type II.
How to catch these before fieldwork: a pre-audit self-test
Nearly every finding on this page is cheaper to fix before the observation period than during it. The highest-ROI move is to run a readiness assessment to catch these before fieldwork, then fix design gaps while the clock has not started. Understand where in the audit timeline exceptions surface so you are not remediating under deadline pressure, and remember that over-scoping creates more places to fail — scope tightly.
A simple self-test: for each of the top-12 findings, can you produce, right now, a dated and signed piece of evidence that the control operated? If the honest answer is “we do it but nothing is saved,” you have an evidence problem, and repeated remediation cycles are exactly what inflate audit cost. Building durable evidence capture now is the single best predictor of a clean report.
Frequently asked questions
What are the most common SOC 2 findings?
The most common SOC 2 findings are incomplete or unretained user access reviews (CC6.3), orphaned accounts for terminated employees (CC6.3), missing MFA on admin, production and CI/CD systems (CC6.1), change-management approvals that bypass ticketing (CC8.1), untested incident response (CC7.4), and weak vendor oversight (CC9.2). Access-control findings under CC6 dominate first-year reports.
What is a SOC 2 exception?
A SOC 2 exception is a single instance where a control did not operate as described during the audit period. One exception does not automatically fail the audit; it becomes serious only when exceptions accumulate enough that the auditor cannot conclude the control operated effectively, which can qualify the opinion on that criterion.
Does one finding fail your SOC 2 audit?
No. A SOC 2 report can be issued with noted exceptions and still be usable in procurement. A finding only affects the report when it rises to a deficiency that changes the auditor’s opinion on a Trust Services criterion from unqualified (clean) to qualified, or in severe cases to adverse. There is no numeric threshold.
What is the difference between a SOC 2 exception and a deficiency?
An exception is one observed instance of a control not operating as described. A deficiency is a broader conclusion that the control’s design or operation is insufficient to meet the criterion. The auditor performs additional testing when an exception is found; whether it modifies the opinion depends on materiality and pervasiveness, not a fixed count.
What is the most common SOC 2 finding?
In our engagement experience, incomplete access reviews are the single most frequently documented SOC 2 finding: the review was performed but not retained with reviewer sign-off, or was never run on the cadence the organization itself defined, mapping to CC6.2 and CC6.3. Close behind are orphaned terminated-employee accounts and missing MFA.
How do you fix a SOC 2 orphaned-account finding?
Fix an orphaned-account finding (CC6.3) by tying deprovisioning to the HRIS termination event via SCIM or automated offboarding, running a full access reconciliation to remove stale accounts, and evidencing timely removal on a sample of recent terminations for the next audit period.
Where do SOC 2 findings appear in the report?
Exceptions and deviations appear in Section 4 of a SOC 2 Type II report — the auditor’s tests of controls and results matrix. Management’s response to those exceptions appears in Section 5, the “Other Information” section, which is unaudited. There is no separate “management letter” in a SOC 2 report.
How long does it take to remediate a SOC 2 finding?
It depends on the finding. Enabling MFA or removing an orphaned account is a same-day fix. Rebuilding an access-review cadence or a change-management workflow takes roughly a sprint. Because a Type II tests operating effectiveness across the whole period, the corrected control must also produce a clean track record before period end to avoid an exception.
Sources & further reading
- AICPA & CIMA — 2017 Trust Services Criteria (with Revised Points of Focus — 2022), TSP section 100 — the source of CC6.1, CC6.3, CC8.1 and CC9.2 points of focus.
- AICPA & CIMA — SOC 2® — SOC for Service Organizations: Trust Services Criteria.
- AICPA — Statement on Standards for Attestation Engagements No. 18 (SSAE 18); SOC 2 examinations are performed under AT-C section 205, and SOC 1 under AT-C section 320.
Fix findings before they cost you a deal
Auditsuisse is a US & Swiss licensed CPA firm. We’ll pressure-test your controls against the findings above, sequence remediation sensibly, and quote a fixed fee — see our SOC 2 audit services or book a scoping call.
Request Consultation