What Causes SOC 2 Exceptions

This document covers the specific controls that most frequently cause SOC 2 audit exceptions. It's organized into three sections:

• GRC software setup — integrations, SLAs, and scoping
• Operational controls — onboarding/offboarding SLAs, access reviews, device compliance, and documentation requirements
• Technical controls — MFA, PR approvals, vulnerability SLAs, infrastructure monitoring, and password policies

It also includes an appendix with guidance on observation window timing, vendor security reviews, auditor and pen test selection, employee agreements, and risk assessments.