What is a test exception?
It is your auditor’s job to test every control your organization has identified to address the relevant SOC 2 Trust Services Criteria. Your auditor may uncover instances where an employee missed a required hiring step, gave verbal approval instead of a documented one, performed a control later than scheduled, or similar. When findings like these relate to the operation (or lack thereof) of a control, this is called a test exception. Think of exceptions as anything that falls outside of the expected results when your evidence is tested against your control description.
Having an exception on the final audit report does not mean that your organization has failed the audit! In fact, it's somewhat common for an auditor to have findings or uncover instances where a control did not perform as intended.
If this happens, Section 5 of the SOC 2 report will come into play. This section is where you explain to the reader of your report how you have or will address the finding.
How do I handle an exception?
Section 5 of your SOC 2 report can be used to explain how your organization mitigates or addresses exceptions. You can share your assessment of the risk that the control exceptions pose, any compensating or mitigating controls in place to reduce the risk, as well as any action plans. You can also share this information if the item has already been remediated. Note that if the exception has been remediated between the time it was found and when the SOC 2 report was issued, the auditor cannot retest until the next audit.
Section 5 information is not assessed by the auditor and does not carry any particular weight with the opinion expressed in the SOC 2 report. However, it does help to provide context and additional information to your clients to help reduce any issues that may come up during a Vendor Risk Management or onboarding process.
Final thoughts
Exceptions can happen. They serve as an indicator for your organization to tighten up an internal process, educate control performers, or even implement additional controls. By appropriately addressing exceptions in Section 5 with a well-thought-out plan, you can give your customers comfort that you take exceptions seriously.
For more guidance on avoiding exceptions, check out our “Audit-related evidence essentials” article or reach out via our Chat Feature for real-time Customer Success Support 8a-5p PST Monday through Friday.