Common Reasons SOC 2 Audits Get Qualified Opinions

Technically, a SOC 2 audit doesn't "pass" or "fail" — the auditor issues an opinion: unqualified (clean), qualified (issues in specific areas), or adverse (broad control failures). A qualified opinion is still distributable but raises buyer questions. Here are the patterns that cause them.

1. Missing access reviews during observation

Policy says quarterly access reviews. Observation period is 6 months. Evidence shows one review, at month 5 — after someone remembered. Auditor flags it: control wasn't operating consistently across the period. This is the single most common qualification we see.

Fix: put access reviews on the calendar before observation starts. Actually run them on schedule. Screenshot the calendar invitations and completion if you need to.

2. Evidence gaps during periods of change

Company migrates cloud regions mid-observation. For three weeks, evidence collection breaks because integrations weren't re-pointed. Auditor can't confirm controls operated during the gap. Qualification.

Fix: during any major infrastructure change, add evidence continuity to the change plan. Before you flip the switch, confirm the next evidence pull will work from the new state.

3. Inconsistent policies vs practice

Policy says: "All code changes require two approvers." Evidence shows: 15% of PRs merged with one approver due to an emergency. Policy was wrong — practice was actually "two approvers except in documented emergencies." Auditor sees the gap between what you wrote and what you did.

Fix: write policies that match actual practice, then tighten practice toward the policy. If your policy allows emergency exceptions, document the exception process explicitly.

4. Incident not documented

Minor production incident happens during observation. Fixed in 30 minutes, never written up. Auditor asks: "Any incidents in this period?" Engineer says "no, except that one time in March." Now auditor needs to review the undocumented incident and its handling.

Fix: all incidents get written up, even small ones. 5-minute postmortem template works fine. The documentation is the control.

5. Control owner turnover

Control owner for Access Management leaves in month 3 of observation. Responsibility is "informally" transferred. Auditor asks to see evidence of the transition — handoff docs, training, new owner's first review. Nothing exists.

Fix: build control ownership transitions into your offboarding checklist. When someone leaves, their SOC 2 control responsibilities get formally reassigned with documentation.

The pattern

Every qualification above comes from the same root cause: a gap between "what we said the control is" and "what actually happened." Close that gap, and clean opinions follow.