Can I redo a SOC 2 audit if I don't like the findings?

No. Once the auditor has performed the testing and formed an opinion, the report is issued. You cannot 'unwind' the engagement. Your remediation goes into the next cycle's report. Some companies engage a different auditor for the next cycle to get a fresh perspective; the previous report still exists.

Do I have to share a report with exceptions with customers?

Yes if your contract requires SOC 2 Type II. You can negotiate timing — for example, asking customers to wait for the remediated next cycle — but you cannot withhold the existing report and represent yourself as having a clean SOC 2.

What is the difference between a qualified opinion and an adverse opinion?

A qualified opinion identifies specific exceptions but states that controls are otherwise effective. An adverse opinion states that controls did not operate effectively in material respects across the audit period. Qualified is recoverable in normal procurement; adverse usually requires remediation and re-audit before customer contracts can proceed.

How common are exceptions in SOC 2 reports?

Very common. Most first-cycle SOC 2 Type II reports for startups under 50 employees have at least one exception. Auditors rarely issue completely clean opinions on first audits. The buyer expectation is that exceptions are documented, severity is clear, and remediation is in flight.

DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

What happens if I fail my SOC 2 audit?

By Editorial team · Published 2026-04-26 · Last updated 2026-04-26

There is no formal 'fail.' Auditors issue qualified or adverse opinions, or note exceptions in the report. The report still exists — buyers evaluate the severity themselves.

Short answer: there is no formal 'fail.' SOC 2 is an attestation, not a certification. The auditor issues an opinion — unqualified (clean), qualified (mostly clean with specific exceptions), adverse (controls did not operate effectively), or disclaimer (couldn't gather enough evidence). The report still gets issued. Customers read the opinion section and decide.

The four possible auditor opinions

What 'exceptions' actually look like

An exception is a specific finding the auditor documented during testing — for example, 'During the observation period, 3 of 25 sampled access reviews were completed after the documented quarterly cadence.' The auditor describes the exception, your management response describes the remediation, and the report is issued with both. Most reports have at least one exception; most enterprise buyers tolerate them.

Exceptions buyers care about most

Logical access (CC6) exceptions: terminated employees with active credentials, missing access reviews, MFA gaps. High buyer scrutiny.
Change management (CC8) exceptions: production deploys without ticket or review, missing approval evidence. High buyer scrutiny.
Encryption (CC6.7) exceptions: data at rest or in transit not encrypted as policy specified. Medium-to-high scrutiny depending on data sensitivity.
HR (CC1) exceptions: missing background checks, missing security training records. Low scrutiny — rarely a deal-killer.
Vendor risk (CC9) exceptions: missing or stale third-party assessments. Low to medium scrutiny.

How to remediate exceptions

Document the gap. The auditor will. You should too — what failed, why, what you are changing.
Implement the fix immediately. Most exceptions are operational drift (an access review that slipped a quarter); the fix is a calendar reminder, not a system rebuild.
Track remediation in your GRC platform. Auditors check this on the next cycle.
Issue a bridge letter or interim attestation if a major customer is mid-evaluation. Your auditor can issue this within 1 to 2 weeks.
Re-audit on the standard 12-month cycle. The next report should show the exception remediated.

What to do if you get an adverse opinion

Adverse opinions are rare and typically mean systemic control failure — for example, no logical access controls, no change management, or evidence of unauthorized access. Step one: stop sharing the report externally and inform your auditor's recommendations are part of the remediation plan. Step two: rebuild the program. Step three: re-engage in 6 to 12 months for a follow-up Type II that demonstrates remediation. The original adverse report is a fact; the follow-up clean report is the answer.