Information technology and software continue to expand rapidly, with much of that growth driven by service organizations—companies that provide specialized services to businesses once performed internally. For CPAs, this shift has increased reliance on outsourced service providers for data analytics, cloud hosting, and information security. It has also heightened responsibility for safeguarding company and client data.
If your organization relies on service organizations, obtaining and reviewing their System and Organization Controls (SOC) 2 report can provide insight into their control environment and any areas for concern. If you are a service organization, clients likely expect you to undergo a SOC 2 examination. After completing numerous SOC 2 engagements across organizations of varying maturity levels, I consistently see the same type of control failures. The good news: most are straightforward to correct with structure, ownership, and repeatable processes.
Below are five of the most common control failures we encounter and practical steps on how to fix them.
Offboarding breakdowns that create security risks
During many SOC 2 examinations, we frequently identify at least one instance where a terminated employee has retained access to critical systems after their departure – sometimes for weeks or even months. Few control failures present such clear and preventable risk.
Lingering access increases the risks of unauthorized access to sensitive data, fraud, intellectual property theft, and retaliatory activity. These gaps typically stem from untimely HR notifications, informal communication processes, a lack of formalized offboarding procedures, decentralized applications, or shared accounts.
Organizations can significantly reduce this risk by implementing formal offboarding workflows. Recommended practices include immediate HR to IT notifications through ticketing systems; defined timeframes for offboarding terminated users (for example, access removed within 24 hours); centralized identity management or single sign-on; automation of account disablement where possible; and retention of evidence supporting deprovisioning.
Security awareness training that was not documented
Many organizations conduct annual security awareness training and onboarding session for new hires. However, during testing, documentation often fails to demonstrate who completed the training, when it occurred, and what topics were covered.
Technology alone cannot prevent breaches. Human error—such as phishing or weak password practices—remains a primary threat vector. Even well-executed training programs can result in audit exceptions if completion is not documented. Documentation gaps often result from decentralized tracking, reliance on manual sign-in sheets, failure to retain reports generated by learning management systems, or lack of assigned ownership over the training. Organizations should implement centralized learning management systems, integrate training into onboarding workflows, assign clear ownership, monitor completion rates, and retain periodic reports as audit evidence. From an audit perspective, if training cannot be demonstrated, it cannot be relied upon.
When vulnerability management stops at detection
Most organizations readily produce quarterly vulnerability scan reports. The challenge arises when auditors request evidence of remediation. Findings may be untracked or lack defined timelines, ownership, or documentation of resolution.
Known vulnerabilities represent exploitable weaknesses. Identifying them is only the first step; timely resolution reduces exposure to them. A lack of defined timeframes for remediation, lack of ownership, resource constraints, overwhelming scan results, or a lack of formal vulnerability management policies can contribute to the failure to address known vulnerabilities.
Organizations should establish a formal vulnerability management policy with remediation timelines prioritized by severity, assign accountable owners, track findings through ticketing systems, document risk acceptance when remediation is not feasible, and retain evidence of closure. Effective vulnerability management requires ongoing identification, prioritization, and resolution.
Vendor management gaps
Organizations rely heavily on vendors for cloud hosting, identity management, data analytics, and security services. Because these vendors often host sensitive data or perform critical functions, robust vendor oversight is essential.
Common deficiencies include failing to obtain and review vendor SOC 2 reports, neglecting vendor risk assessments, failure to monitor subservice organizations, and ignoring complementary user entity controls. These deficiencies can lead to blind spots in an organization’s control environment.
For example, many organizations rely on a cloud hosting provider’s physical security controls to satisfy the SOC 2 trust services criteria over physical security. However, if their vendor’s physical security controls are weak or ineffective, the organization may not be aware of this risk due to the lack of SOC 2 report reviews over their vendor. To strengthen oversight, organizations should obtain and review SOC 2 reports for all critical vendors, assign vendors’ owners, conduct vendor risk assessments for each critical vendor, and document implementation of applicable complementary user entity controls from each critical vendor’s SOC 2 reports.
Policies that don’t match reality
An effective control environment requires policies and procedures that accurately reflect operational practices. Yet some organizations rely on generic templates, fail to communicate policies to staff, or maintain documentation that does not match actual execution.
Misalignment between documented procedures and real-world practices often leads to audit exceptions—particularly when controls operate differently than described. More importantly, deficiencies in communication of procedures could lead to ineffective controls due to lack of expectations and guidance on executing controls.
Organizations should conduct annual walkthroughs with process owners, update policies to reflect actual practices, train employees on expectations, and obtain documented acknowledgments. Policies should support operations—not merely satisfy documentation requirements.
Organizations rarely fail SOC 2 audits because they lack sophisticated technology. More often, deficiencies arise from inconsistent execution, unclear ownership, or insufficient documentation. By strengthening foundational processes—offboarding, training documentation, remediation tracking, vendor oversight, and policy alignment—organizations can significantly improve both audit outcomes and overall security posture.