Back to Blog
How-To 8 min read

How to Pass SOC 2 on the First Try: Common Mistakes

Most SOC 2 exceptions are avoidable. Learn the 10 most common mistakes that cause SOC 2 Type II exceptions and how to prevent each one.

Key Takeaways
  • Most SOC 2 exceptions are caused by evidence gaps, not actual security failures.
  • The access review and change management controls are the most commonly tested and most commonly found with gaps.
  • Starting evidence collection from day one of the observation period is the single most important practice.
  • Policies that do not match actual practice generate exceptions — review your policies against actual evidence quarterly.
  • Briefing your team on the audit process prevents common interview mistakes during auditor walkthroughs.

In this guide

  1. Mistake 1: Late Evidence Collection
  2. Mistake 2: Policies That Do Not Match Practice
  3. Mistake 3: Incomplete Access Reviews
  4. Mistake 4: Missing Terminated Employee Records
  5. Mistake 5: Change Management Gaps
  6. Mistake 6: No Vendor SOC 2 Reports
  7. Mistake 7: Untested Backups
  8. Mistake 8: Missing Penetration Test
  9. Mistake 9: Poor Audit Team Preparation
  10. Mistake 10: Waiting Until the Last Minute

Mistake 1: Late Evidence Collection

The most common cause of SOC 2 Type II exceptions: evidence that does not exist for the middle of the observation period. A company might implement strong controls and diligently collect evidence in months 1 and 6, but have sparse evidence for months 2–5.

Prevention: set up automated evidence collection (Security Hub weekly exports, CloudTrail configuration snapshots) from day one. Create calendar reminders for manual evidence activities (quarterly access reviews, monthly vulnerability scans). Review your evidence library monthly to identify gaps before they become findings.

Mistake 2: Policies That Do Not Match Practice

If your Access Control Policy states "quarterly access reviews" but you only completed two reviews during a 12-month period, that is a policy non-conformance. Auditors compare what policies say to what evidence shows.

Prevention: quarterly self-assessment — read each policy, then check whether your evidence for the past quarter is consistent with every commitment in that policy. Fix discrepancies immediately: either update the policy to match achievable practice or implement the practice to match the policy.

Mistake 3: Incomplete Access Reviews

Common access review failure modes: access review conducted but not documented, systems omitted from the review scope, review conducted by the same person whose access is being reviewed (no segregation), or review completed with no evidence of any action taken on identified issues.

Prevention: use a structured access review template that covers all in-scope systems. Document the reviewer, date, systems covered, users reviewed, and any access changes made.

Mistake 4: Missing Terminated Employee Records

Auditors select a sample of terminated employees and verify that access was revoked. The most common failure: access revoked for corporate SSO but not for a direct database account, Slack, or a rarely-used SaaS tool.

Prevention: maintain a termination checklist covering every system in scope. When an employee leaves, work through the checklist item by item and document completion. Store these checklists as evidence.

Mistake 5: Change Management Gaps

Change management gaps: production deployments that bypassed the required pull request review, infrastructure changes made directly without a Terraform PR, or emergency changes that were never retroactively documented.

Prevention: configure GitHub branch protection to enforce required reviews — this creates an automated gate that prevents undocumented changes. For infrastructure: require all Terraform changes go through PRs with plan output attached.

Mistake 6: No Vendor SOC 2 Reports

Many companies build their own strong SOC 2 programme but do not collect evidence that their vendors' security is reviewed. CC9.2 requires vendor risk management.

Prevention: build a simple vendor register with a column for "SOC 2 report last collected" and set annual calendar reminders to download updated reports from major vendors (AWS Artifact, Okta Trust Center, GitHub Security page).

Mistake 7: Untested Backups

SOC 2 asks not just whether you have backups, but whether you have tested that they can be restored. Many companies have backup infrastructure configured but have never actually run a restore test.

Prevention: schedule a quarterly backup restore test. Test restoring a non-production database from backup to a test environment. Document: test date, backup date used, restore success/failure, and restoration time.

Mistake 8: Missing Penetration Test

Penetration testing is not explicitly required by the SOC 2 criteria text, but it is widely expected as evidence for CC7.1 (vulnerability management). Auditors almost universally ask for a pen test report.

Prevention: schedule an annual penetration test. Engage a reputable firm (CREST-certified, OSCP-certified testers). The test report, combined with documentation of how you remediated findings, is strong CC7.1 evidence.

Mistake 9: Poor Audit Team Preparation

Auditors conduct control walkthroughs — brief interviews where they ask control owners to explain how a control operates. Unprepared engineers give inconsistent answers, or say things that contradict documented policies.

Prevention: brief every control owner before audit fieldwork begins. Walk through the controls they own: what the control is, how it operates, what evidence supports it, and who can answer questions about it. A 1-hour team session 2 weeks before fieldwork starts prevents most interview-related issues.

Mistake 10: Waiting Until the Last Minute

The observation period ends, the auditor fieldwork begins, and suddenly the team is scrambling to collect missing evidence, write missing policies, and explain gaps. This end-of-period rush is entirely avoidable.

Prevention: conduct a formal pre-audit self-assessment 8 weeks before your planned fieldwork start date. Review every control, check that evidence exists for the full observation period, and identify gaps while there is still time to address them.

Frequently Asked Questions

What percentage of companies pass SOC 2 on the first try?
Most SOC 2 engagements result in a report being issued — there is no formal fail. However, reports that include notable exceptions (qualified opinions) are common on first engagements. Companies that use compliance automation, collect evidence consistently from the start, and conduct pre-audit reviews are significantly more likely to receive unqualified opinions.
Can we fix an exception after it appears in the draft report?
For Type I, you can remediate before the audit date and present remediated evidence. For Type II, exceptions in the observation period cannot be retroactively fixed. You can provide a management response in the report explaining root cause and remediation.
What is a "qualified opinion" in SOC 2?
A qualified opinion means the auditor found exceptions significant enough to affect the overall opinion. Many enterprise buyers will still accept a qualified opinion, especially for first-time engagements, as long as the exceptions are not in core security controls.
Is a penetration test required annually for SOC 2?
No explicit annual requirement exists in the SOC 2 criteria, but annual penetration testing is the industry standard and what auditors expect. A penetration test older than 18 months at the time of audit is typically considered stale.
What is the most important thing to do in the first week of our SOC 2 programme?
Assign a programme owner with dedicated time (20–30% of their week). Without clear ownership, every other element of preparation will be delayed.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

How-To

How to Prepare for a SOC 2 Audit: 90-Day Plan

SOC 2

SOC 2 Audit Prep Checklist: 60 Items Before Field Work

How-To

How to Get SOC 2 Type II Certified: End-to-End Guide