You’ve completed your SOC 2 exam and … you got a minor control exception.
Let’s say the exception relates to a control stating that new hire access is authorized by the Director of Engineering, and evidence was not available to prove this for one of the auditors’ samples).
You feel panic start to set in – you spent months preparing your company for this, spent thousands of dollars to receive this report, all for it to emerge with this glaring red stamp across the front.
Don’t panic. It’s common to get control exceptions, and report users don’t expect perfection.
I won’t lie – for many readers of a SOC 2 report completing their security review, the list of exceptions is often the first place they look.
But if you handle this situation properly, it’s actually a chance to build trust with your users, as it will gain their attention, and you can provide what’s called a Management’s Response.
Skeptical? A Harvard Business Review survey concluded that transparency is actually one of the core factors to increase customer trust. What better way to show transparency than to provide details on what went wrong?
In the SOC 2 report, the auditor will present the testing exception simply saying “here’s the control, here’s our testing, and here are the results”.
Now you (the auditee) have the opportunity to provide a Management Response which gets presented alongside those testing results with the goal of inspiring confidence in the reader. So, word this Response just as you might respond to a customer of yours who wanted to know more about this issue, including explaining:
- why the control failed in the first place
- the impact of the exception in the grand scheme of things
- remediating actions completed (or planned)
- other work that was done that performs a compensating function
- any other mitigating factors you can think of
Then, get to work fixing the process so that you don’t get slapped with the same exception next year.
Looking for an auditor who can help guide you through the SOC 2 process? – Contact Render
