One of the most challenging aspects of a System and Organization Controls (SOC) engagement is evaluating exceptions / control failures and determining how they will impact the SOC report and whether they will result in a qualified or adverse opinion. The purpose of this whitepaper is to help service organizations understand the process that service auditors follow to evaluate exceptions and present practical strategies to reduce the impact of exceptions on the service auditor’s opinion.
Here is a link to the whitepaper: Evaluating Exceptions_Managing the Risk