The email from our auditor arrived at 4:17 PM on a Thursday. Subject line: "Control Testing Results - Action Required."
My stomach dropped. I'd been working with this fintech company for eight months, and we were three weeks away from completing their first SOC 2 Type II audit. I opened the attachment and saw it: 23 exceptions identified across critical controls.
The CEO's face went pale when I showed him the report. "Does this mean we fail?" he asked. "Are we going to lose our customers?"
I took a deep breath and said something that surprised him: "No. This is actually normal. What matters now is how we handle these exceptions."
That was five years ago, and that company not only passed their audit—they used the exception management process to build one of the strongest security programs I've ever seen. Today, I want to share what I've learned about handling SOC 2 exceptions across 60+ audits and why exceptions aren't the disaster most people think they are.
What SOC 2 Exceptions Really Mean (And Why You Probably Have Them)
Let me be brutally honest: I've never seen a first-time SOC 2 audit with zero exceptions. Not once in fifteen years. And I've worked with some incredibly sophisticated organizations.
Here's why: SOC 2 controls are tested rigorously. Auditors don't just check if you have a control—they test if it operated effectively for the entire audit period. One missed review, one access grant without proper approval, one log that wasn't monitored—that's an exception.
"An exception doesn't mean you failed. It means your auditor found evidence that a control didn't operate as designed. The difference matters."
The Types of Exceptions You'll Encounter
In my experience, exceptions fall into distinct categories. Understanding these categories is crucial because they require different remediation approaches.
Exception Type | Description | Typical Cause | Remediation Complexity |
|---|---|---|---|
Design Deficiency | The control isn't designed properly to meet the objective | Misunderstanding requirements, gaps in design | High - Requires control redesign |
Operating Deficiency | The control exists but wasn't executed properly | Human error, process breakdown | Medium - Fix the execution |
Documentation Gap | The control operated but evidence is missing | Poor record-keeping | Low - Improve documentation |
Sampling Exception | Issue found in sample but not systemic | Isolated incident | Low to Medium - Demonstrate it's not recurring |
Timing Exception | Control executed but outside required timeframe | Process delays, resource constraints | Medium - Improve timeliness |
Scope Exception | Control didn't cover all required areas | Incomplete implementation | High - Expand control scope |
I remember a SaaS company that had 17 exceptions in their first audit. When we categorized them, we found:
2 were design deficiencies (serious problems)
4 were operating deficiencies (process fixes needed)
11 were documentation gaps (evidence existed, wasn't provided)
Understanding this breakdown changed everything. Instead of panicking about 17 problems, we could prioritize fixing the 2 critical design issues while quickly addressing the documentation gaps.
The Anatomy of an Exception: What Your Auditor Is Really Telling You
Let me walk you through a real exception from a 2023 audit. I've anonymized it, but this is verbatim:
Control: User access reviews are performed quarterly for all production systems, with results documented and exceptions remediated within 30 days.
Exception: During Q2 2023 access review, 3 users with elevated privileges were not included in the review scope. Additionally, the Q3 2023 review was completed 47 days late, on October 17 instead of the required September 30 deadline.
Impact: Inability to detect and remediate inappropriate access in a timely manner, potentially allowing unauthorized access to production systems.
This exception tells us several things:
The control design is sound - The auditor isn't questioning whether quarterly reviews are appropriate
The execution failed in two ways - Incomplete scope and late completion
The risk is clearly articulated - We understand what could go wrong
There's a path to remediation - We know exactly what to fix
When I showed this to the client's operations team, their first reaction was defensive: "We were slammed with a major product launch! We documented why it was late!"
And that's where most organizations make their first mistake.
"Explaining why an exception occurred doesn't fix it. Your auditor doesn't care about excuses—they care about corrective action plans."
The Exception Management Framework That Actually Works
After handling hundreds of exceptions, I've developed a framework that consistently works. It's not complicated, but it requires discipline.
Step 1: Acknowledge and Categorize (Within 48 Hours)
The moment you receive exception findings, time starts ticking. Here's what I do immediately:
Create an exception log - I use a simple spreadsheet with these columns:
Exception ID | Control Description | Exception Details | Category | Severity | Root Cause | Owner | Due Date | Status |
|---|---|---|---|---|---|---|---|---|
EX-001 | Access Review | 3 users not included, 47-day delay | Operating | High | Resource constraint, incomplete automation | J. Smith | 2024-01-15 | In Progress |
I cannot overstate how important this log becomes. It's your single source of truth for managing the remediation process.
Assign severity levels - Not all exceptions are created equal. I use this framework:
Severity | Definition | Response Time | Example |
|---|---|---|---|
Critical | Control completely missing or non-functional; high risk of material impact | Immediate (24-48 hours) | No access reviews performed for 6 months |
High | Control operating but with significant gaps; moderate risk | 1-2 weeks | Access reviews missing key systems |
Medium | Control operating with minor deficiencies; low to moderate risk | 2-4 weeks | Access reviews completed late |
Low | Documentation or isolated incidents; minimal risk | 4-8 weeks | Evidence not retained properly |
A healthcare company I worked with in 2022 had 31 exceptions. They initially treated all of them as equally urgent, which overwhelmed their team and resulted in poor-quality fixes. When we applied severity rankings, they could focus on the 4 critical and 7 high-priority exceptions first, completing those in three weeks, then methodically addressing the rest.
Step 2: Root Cause Analysis (The Part Most People Skip)
Here's a pattern I see constantly: organizations treat symptoms instead of diseases.
An exception says "access review was late." The remediation plan says "complete access reviews on time." That's not a remediation—that's a wish.
I use the "Five Whys" technique for every exception. Let me show you how this works with a real example:
Exception: Vulnerability scans were not performed for 2 weeks in July due to system maintenance.
Why #1: Why weren't scans performed? Because the scanning system was down for maintenance.
Why #2: Why wasn't there a backup scanning process? Because we didn't think we'd need one—maintenance was supposed to take 3 days.
Why #3: Why did maintenance take 14 days instead of 3? Because we encountered unexpected compatibility issues with the new scanner version.
Why #4: Why weren't compatibility issues identified before maintenance? Because we didn't have a proper testing environment for the scanner.
Why #5: Why don't we have a testing environment? Because it wasn't included in the original implementation budget and nobody prioritized it.
Now we have a real root cause: inadequate testing infrastructure and change management process.
The remediation plan isn't "scan on time." It's:
Establish a test environment for security tools (2 weeks)
Implement a change management process requiring testing before production changes (3 weeks)
Document contingency procedures for when primary scanning tools are unavailable (1 week)
Cross-train team on backup scanning tools (2 weeks)
This is the difference between checking a box and actually fixing the problem.
Step 3: Develop Remediation Plans (With Realistic Timelines)
Every exception needs a remediation plan. But here's what I've learned: generic remediation plans fail 80% of the time.
Here's what a weak remediation plan looks like:
❌ Bad Example:
Exception: Access reviews incomplete
Remediation: Will perform complete access reviews quarterly
Owner: Security Team
Completion Date: Next quarter
Here's what a strong remediation plan looks like:
✅ Good Example:
Exception: Q3 2023 access review did not include 3 users with elevated privileges and was completed 47 days late.
Remediation Plan:
Immediate Actions (Within 1 week):
Complete access review for the 3 missed users (Owner: J. Smith, Due: 12/15)
Revoke any inappropriate access identified (Owner: J. Smith, Due: 12/16)
Document findings and actions taken (Owner: J. Smith, Due: 12/17)
Short-term Corrective Actions (Within 1 month):
Update access review procedure to include checklist of all systems and user types (Owner: M. Johnson, Due: 1/5)
Implement automated report generation that flags all elevated privilege accounts (Owner: T. Chen, Due: 1/12)
Schedule quarterly access reviews as recurring calendar events with 2-week lead time (Owner: J. Smith, Due: 12/20)
Create escalation procedure for when reviews cannot be completed on schedule (Owner: M. Johnson, Due: 1/5)
Long-term Preventive Actions (Within 3 months):
Implement identity governance platform to automate access reviews (Owner: T. Chen, Due: 2/28)
Establish quarterly access review dashboard with automated reminders (Owner: T. Chen, Due: 2/28)
Conduct team training on new access review process (Owner: M. Johnson, Due: 3/15)
Monitoring and Validation (Ongoing):
Monthly spot-checks of access review completion (Owner: J. Smith)
Quarterly metrics reporting to leadership (Owner: M. Johnson)
Annual process review and improvement (Owner: M. Johnson)
See the difference? The second plan addresses the immediate exception, fixes the process, prevents recurrence, and establishes ongoing monitoring.
The Timeline Reality: How Long Does Remediation Actually Take?
One of the most common questions I get: "How quickly do we need to fix these exceptions?"
The answer depends on several factors, but here's what I've seen across dozens of audits:
Remediation Scope | Typical Timeline | Complexity Factors |
|---|---|---|
Documentation only | 1-2 weeks | Gathering evidence, recreating records |
Process improvement | 4-8 weeks | Procedure updates, training, validation |
Tool implementation | 8-16 weeks | Vendor selection, deployment, integration |
Organizational change | 12-24 weeks | Role definitions, hiring, culture shift |
Infrastructure changes | 16-32 weeks | Architecture redesign, testing, migration |
I worked with an e-commerce company in 2021 that had an exception related to encryption of data at rest. Their auditor found that one legacy database wasn't encrypted.
The quick fix? Enable encryption on that database. Timeline: 2 days.
The right fix? Conduct a comprehensive inventory of all data stores, implement encryption across all systems, establish encryption standards, and create a validation process. Timeline: 14 weeks.
They chose the right fix. It took longer, but when they went through their next audit, they had zero encryption-related exceptions and had actually discovered three other unencrypted data stores that would have been future exceptions.
"Fast remediation fixes the exception. Thorough remediation fixes the system. Always choose thorough."
Communicating Exceptions: The Conversations Nobody Teaches You
Here's a scenario that happened to me in 2020: I was presenting audit results to a board of directors. The CISO had briefed them that the audit was "going well."
Then I showed them: 18 exceptions, including 3 categorized as high severity.
The room got very quiet. One board member finally asked, "Should we be looking for a new CISO?"
This is where exception management becomes as much about communication as it is about remediation.
How to Present Exceptions to Leadership
I use this framework when presenting exceptions to executives or boards:
1. Start with context: "SOC 2 audits typically identify exceptions in first-year audits. Based on my experience with 60+ audits, finding 18 exceptions in a first audit is within normal range. Organizations with mature programs still typically have 3-7 exceptions in ongoing audits."
2. Categorize and prioritize: "Of our 18 exceptions, 3 are high priority, 8 are medium, and 7 are low. None are critical. We have clear remediation plans for all of them."
3. Show progress and accountability:
Priority | Count | Owner | Target Completion | Status |
|---|---|---|---|---|
High | 3 | Security Team | January 31 | 2 complete, 1 in progress |
Medium | 8 | Operations | February 28 | 5 complete, 3 in progress |
Low | 7 | Compliance | March 31 | 1 complete, 6 in progress |
4. Highlight systemic improvements: "While addressing these exceptions, we've identified and are implementing three process improvements that will prevent similar issues in future audits."
5. Be transparent about challenges: "The timeline for exception EX-003 may extend by two weeks due to vendor delays in implementing the identity governance platform. We have a contingency plan in place."
The board member who asked about replacing the CISO ended the meeting by saying, "This is exactly the kind of systematic approach I want to see. Keep us updated monthly."
How to Work with Your Auditor
Your auditor is not your enemy. In fact, a good auditor is one of your best resources during exception remediation. Here's how I approach auditor relationships:
Be proactive: Don't wait for the final report. If you spot potential exceptions during testing, bring them up immediately. I've had auditors help us craft remediation plans before the final report, which accelerated our timeline significantly.
Ask questions: If an exception isn't clear, ask for clarification. I once spent two weeks remediating what I thought was a design deficiency, only to learn the auditor was actually concerned about documentation. A 15-minute call would have saved us 10 days of work.
Provide evidence: When you implement remediation, document everything. I create a remediation evidence package for each exception that includes:
Updated policies and procedures
Evidence of implementation (screenshots, logs, tickets)
Training records
Validation testing results
One auditor told me: "I wish all my clients documented like you do. It makes the follow-up audit so much smoother."
The Exception Management Tools That Make Life Easier
You don't need expensive software to manage exceptions effectively. Here's my toolkit:
The Essential Exception Tracking Spreadsheet
I've refined this over years of audits. Here are the tabs I include:
Tab 1: Exception Log
Exception ID, description, category, severity, status
Links to evidence and remediation plans
Tab 2: Remediation Plans
Detailed action items with owners and due dates
Dependencies and blockers
Status updates and completion evidence
Tab 3: Evidence Repository
Links to all remediation evidence
Documentation of testing and validation
Sign-offs and approvals
Tab 4: Dashboard
Summary metrics (total exceptions, by severity, by status)
Timeline view of remediation progress
Risk indicators for overdue items
Tab 5: Lessons Learned
What caused each exception
What we learned
How we'll prevent it in the future
A technology company I worked with used this spreadsheet to manage 28 exceptions across a 6-month remediation period. They completed all remediations on time and used the lessons learned to reduce their next audit to just 4 exceptions.
The Weekly Remediation Meeting Structure
Every organization I work with implements a weekly exception remediation meeting. Here's the agenda that works:
Duration: 30-45 minutes, no more
Attendees: Exception owners, security leadership, relevant stakeholders
Agenda:
Quick wins (5 minutes): Celebrate completed remediations
Blockers (10 minutes): Identify and resolve roadblocks
Timeline review (10 minutes): Update due dates, flag risks
Priority adjustments (5 minutes): Re-prioritize based on business needs
Next week commitments (5 minutes): What will be completed by next meeting
Action items (5 minutes): Document decisions and assignments
The key: keep it short, focused, and action-oriented. This isn't a status meeting—it's a problem-solving session.
Real Exception Scenarios and How We Fixed Them
Let me share some real exceptions I've handled and what we learned from each:
Case Study 1: The Missing MFA Exception
Company: SaaS provider, 75 employees Exception: Multi-factor authentication (MFA) not implemented for 23% of user accounts accessing customer data
Initial Reaction: "We'll just turn on MFA for everyone."
The Problem: They had legacy systems that didn't support MFA. Forcing MFA would have broken critical business processes.
The Solution:
Immediate: Enabled MFA for all systems that supported it (covered 77% of users in 48 hours)
Short-term: Implemented compensating controls for legacy systems (additional monitoring, shortened session timeouts, IP restrictions)
Long-term: Initiated project to replace or upgrade legacy systems (8-month timeline)
Documentation: Created waiver process for accounts that couldn't support MFA, with quarterly review and approval
Outcome: Exception closed in 12 weeks. All users on MFA-capable systems within 2 days. Legacy system replacement completed ahead of schedule. Zero MFA exceptions in next audit.
Lesson: Sometimes you can't fix everything immediately. Compensating controls plus a roadmap to full compliance is acceptable.
Case Study 2: The Change Management Disaster
Company: Financial services firm, 200 employees Exception: 47 production changes made without following change management procedures, including 12 emergency changes without post-implementation review
Initial Reaction: "We'll be more careful about following the process."
The Problem: The change management process was so cumbersome that teams routinely bypassed it to meet business deadlines.
The Solution:
Process redesign: Simplified change request form from 23 fields to 8 critical fields
Automation: Implemented ticketing system with automated approvals for low-risk changes
Emergency process: Created streamlined emergency change process with 1-hour approval SLA
Training: Conducted workshops showing how the new process actually saved time
Metrics: Established dashboard tracking change management compliance
Outcome: Change management compliance went from 62% to 97% within 3 months. Emergency changes dropped from 12/quarter to 2/quarter because the standard process became fast enough.
Lesson: If people routinely bypass a control, the control is the problem, not the people.
Case Study 3: The Documentation Black Hole
Company: Healthcare technology startup, 40 employees Exception: Unable to provide evidence of security awareness training for 18 employees during audit period
Initial Reaction: "We definitely did the training! We just can't find the records."
The Problem: They conducted training through informal lunch-and-learns with no attendance tracking or completion records.
The Solution:
Immediate: Conducted remedial training for all employees with documented attendance and completion testing
Platform: Implemented learning management system (LMS) with automated tracking
Content: Created structured curriculum with quarterly required training
Automation: Set up automatic reminders, escalations, and compliance reporting
Integration: Connected LMS to HR system so all new hires automatically enrolled
Outcome: 100% training compliance within 6 weeks. Ongoing compliance rate of 98%+. Next audit: zero training exceptions.
Lesson: If you can't prove it happened, it didn't happen. Invest in proper documentation systems.
The Exception Types That Keep Me Up at Night
Not all exceptions are equal. Some are paperwork issues. Others indicate fundamental security problems. Here are the ones that genuinely worry me:
High-Risk Exception Patterns
Exception Pattern | Why It's Dangerous | What It Usually Reveals |
|---|---|---|
Multiple access control exceptions | Suggests widespread authorization problems | Lack of identity governance, unclear ownership |
Repeated exceptions across audits | Indicates systemic failure to fix root causes | Organizational resistance, insufficient resources |
Management override exceptions | Shows control environment isn't respected | Poor security culture, pressure to bypass controls |
Incomplete or missing logs | Prevents detection of security incidents | Inadequate monitoring, potential evidence destruction |
Change management failures | Increases risk of outages and security gaps | Inadequate processes, unrealistic deadlines |
I once worked with a company that had access control exceptions in three consecutive audits. Each time, they "fixed" the immediate issue without addressing the root cause: they had no formal identity governance process.
We finally implemented a comprehensive identity and access management program. It took 5 months and significant investment. But they went from 8 access-related exceptions per audit to zero. And they detected and prevented two potential insider threat incidents because they finally had visibility into user access patterns.
"Show me an organization's recurring exceptions, and I'll show you where their security program is fundamentally broken."
The Truth About "Clean" Audits
Here's something the compliance industry doesn't talk about enough: a clean SOC 2 audit with zero exceptions is not necessarily a good thing.
I've seen two scenarios where zero exceptions actually concerned me:
Scenario 1: The Overly Cautious Auditor The auditor tested the bare minimum, avoided difficult areas, and essentially gave the organization a pass. This isn't doing anyone any favors. The next auditor might be more thorough, leading to a shocking exception count.
Scenario 2: The Overprepared Organization The organization over-corrected from a previous bad audit and now has excessive controls that slow down business operations. They're spending 200% of what they need to on compliance.
The sweet spot? An organization that:
Has 3-7 exceptions per audit (shows the auditor is thorough)
Demonstrates continuous improvement (fewer exceptions each cycle)
Fixes exceptions promptly and thoroughly
Uses exceptions as learning opportunities
One of my most successful clients has averaged 5 exceptions per audit for three years running. But they've never had the same exception twice, and their security posture improves with every audit cycle.
Building an Exception Prevention Culture
After handling hundreds of exceptions, I've learned that the best exception management strategy is preventing exceptions from happening in the first place.
Here's what works:
1. Implement Continuous Control Monitoring
Don't wait for annual audits to discover control failures. I help organizations implement:
Automated Control Testing:
Daily automated scans of access permissions
Weekly change management compliance reports
Monthly security training completion tracking
Quarterly control effectiveness testing
A fintech company I worked with built a dashboard that shows real-time control health. When a control starts trending toward failure, alerts go out automatically. They catch issues weeks before they become audit exceptions.
2. Create a "Pre-Audit" Audit
Three months before your formal audit, conduct an internal audit using the same rigor your external auditor will use. This gives you time to find and fix issues before they become formal exceptions.
I run these pre-audits for clients, and we typically find 60-80% of the issues that would have shown up in the real audit. The difference? We have three months to fix them instead of three weeks.
3. Establish Exception Learning Sessions
When an exception occurs, don't just fix it—learn from it. I facilitate quarterly "exception retrospectives" where teams discuss:
What caused the exception?
What warning signs did we miss?
How do we prevent this category of exception in the future?
What other controls might have similar vulnerabilities?
One company discovered that 70% of their exceptions stemmed from poor handoffs between teams. They redesigned their process workflows and reduced exceptions by 60% in the next audit.
The Remediation Timeline Tool You Need
Here's a practical planning tool I use to estimate remediation timelines. It's based on 15 years of data from actual remediation projects:
Remediation Type | Base Duration | + Size Factor | + Complexity Factor | + Dependency Factor |
|---|---|---|---|---|
Documentation Fix | 3-5 days | +1 day per 10 documents | +2 days if requires approval | +1 day per external party |
Process Update | 2-3 weeks | +1 week per 50 users | +1 week if training needed | +2 weeks if cross-functional |
Tool Implementation | 6-8 weeks | +2 weeks per integration | +4 weeks if custom development | +2 weeks per vendor |
Infrastructure Change | 8-12 weeks | +4 weeks per environment | +8 weeks if production impact | +4 weeks per dependency |
Example calculation:
Process Update for access reviews
Base: 2 weeks
Size: 200 users = +4 weeks
Complexity: Training needed = +1 week
Dependencies: Cross-functional (IT, HR, Legal) = +2 weeks
Total Estimate: 9 weeks
This framework has proven accurate within ±1 week in 85% of projects I've managed.
When to Push Back on Your Auditor
Here's something most consultants won't tell you: sometimes auditors are wrong.
I've successfully challenged audit findings in about 5% of cases. Here's when it's appropriate:
Valid Reasons to Challenge:
Misunderstanding of control design: The auditor tested for something different than what you designed
Evidence misinterpretation: You provided evidence, but the auditor didn't understand it
Inconsistent application: The auditor applied standards inconsistently across similar controls
Industry-specific context: The auditor lacks industry knowledge relevant to your control
Invalid Reasons to Challenge:
"We ran out of time" (not an excuse)
"Nobody else does this" (irrelevant to your compliance)
"It's too expensive to fix" (not the auditor's problem)
"We documented why we couldn't do it" (documentation doesn't eliminate exceptions)
I once successfully challenged an exception where the auditor claimed our encryption wasn't sufficient. We brought in a cryptography expert who demonstrated that our implementation actually exceeded the control requirement. The exception was withdrawn.
But I've also seen organizations waste weeks arguing about legitimate exceptions that they should have just fixed.
"Challenge exceptions when you're right. Accept them gracefully when you're not. Wisdom is knowing the difference."
The Final Word: Exceptions Are Not Failures
Let me bring this full circle to that fintech company I mentioned at the beginning—the one with 23 exceptions.
We spent six months systematically addressing each exception. We implemented new tools, redesigned processes, trained teams, and built a culture of continuous improvement.
Their next audit? Four exceptions. The audit after that? Two exceptions.
But here's what really matters: they didn't just reduce exceptions. They built a security program that actually worked. They detected and prevented a serious security incident because of the monitoring they implemented to address an exception. They won three major enterprise deals because their improved controls gave customers confidence.
The CEO told me recently: "Those 23 exceptions were the best thing that happened to our security program. They forced us to get serious."
That's the mindset that separates organizations that struggle with compliance from those that thrive with it.
Exceptions aren't failures—they're opportunities. Opportunities to improve, to learn, to build better systems. The organizations that embrace this mindset don't just pass audits. They build security programs that become competitive advantages.
So when you get that email from your auditor with the exception list, take a deep breath. You're not failing. You're learning. And with the right approach to exception management, you're on your way to building something stronger than you had before.
Related Articles:
SOC 2 Complete Guide: Understanding AICPA Trust Services Criteria
SOC 2 Audit Process: Timeline and Milestone Management
SOC 2 Remediation Planning: Addressing Audit Findings