Download the PDF version of this article here.
What are some of the most common SOC 2 audit exceptions the our teams have encountered?
SOC 2 (Type 2) report exceptions are when a service organization fails to effectively operate its control as designed. From my experience, the top ten most common exceptions I have seen in the field are:
- Failure to remove/disable access to terminated user account(s) in a timely manner
- Failure to complete or retain evidence of policy (InfoSec, code of conduct, etc.) acknowledgment/sign off
- Failure of user(s) to complete security awareness training upon hire and/or annually thereafter
- Failure to retain evidence of or document a system change for approval or testing
- Failure to complete or retain evidence of annual performance review of employees with responsibilities related to security, availability, and confidentiality
- Failure to complete a background check for new hire user(s) in a timely manner
- Failure to perform an annual third party risk review of subservice organizations and/or third parties
- Failure to design action plans or remediate moderate/high-risk vulnerabilities identified in scans
- Failure to complete or retain evidence for regular password or key rotation
- Failure to deploy anti-virus software or endpoint management solution on all in-scope devices
Both our Third Party Risk Management and SOC practices see these exceptions most often when service organizations are going for their first SOC report, switching audit firms, or migrating to new systems/infrastructure.
Are these exceptions similar to your experiences, or are there others you are running into not on the list?
About Schneider Downs SOC Services
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations.
If you are interested in learning how we can assist your organization, please contact us to get started and learn more about our practice at www.schneiderdowns.com/soc.