What Does a First-Time SOC 2 Audit Actually Find?

TL;DR
  • First-time audits surface a 40-60% gap rate. If yours comes back half-flagged, you're average, not broken.
  • The usual five: no written risk assessment, an untested incident and recovery plan, no scanning, a thin security policy, no formal change process.
  • Finding issues is the sign that someone actually looked. Zero findings on a first audit is the thing to worry about.
  • Most gaps are paperwork and process, not re-architecture. They tend to close in weeks, not months.

Why first-timers have gaps (and why that's normal)

I spent five years doing SOC 2 fieldwork at a Big 4 firm before I started my own. In that time I sat across the table from a lot of companies opening their first audit, and the pattern almost never changes. You built a product. You shipped fast. You hired for engineering, not for an audit program. So when the auditor shows up, the controls a SOC 2 cares about either live in someone's head or haven't made it onto paper yet.

That's not a failing. It's the default state of a company that's been busy building the thing customers actually pay for. In my experience, the typical gap rate on a first-time SOC 2 runs 40-60% of the control areas we look at, and most first-timers would not pass a Type I cold, which is the whole reason a readiness pass exists. (A Type I is the version of the report that checks whether your controls are designed properly at a single point in time.) So if your review comes back with half your controls flagged, you are not an outlier. You are right in the middle of the pack.

What trips people up is that the controls usually aren't *missing* in spirit. You probably do review who has access. You probably do patch things. The gap is that SOC 2 is graded on evidence and consistency, not on good intentions. A control that exists in practice but was never written down, never assigned an owner, and never run on a schedule is, to an auditor, a gap. There's simply nothing to point to that proves it happens.

The five gaps I find almost every time

These five show up in nearly every first-time engagement I've worked. Each one maps to a specific AICPA Common Criterion, so this isn't a hunch. The Common Criteria are the security standards your report is graded against (the formal name is the Trust Services Criteria, or TSC), and these are the spots where they reliably catch new companies.

GapWhy it happensWhat "good" looks like
No written risk assessment (CC3)Founders carry the risks in their heads. Nobody ever sat down and wrote a documented, repeatable assessment. It's the single most common gap I see.A written risk assessment that's run at least once a year, names the real threats to your systems and data, and feeds decisions you can actually show. Not a one-time PDF that dies in a drive.
Untested incident response or recovery plan (CC7.1, CC9.1)Teams assume "we'd figure it out." A plan may exist, but it was never run as a drill, so there's no evidence it works.A documented incident response plan and a business continuity / disaster recovery plan that have been *tested* at least once, with the test and its results written down.
No vulnerability scanning or pen testing (CC7.1)Scanning feels like a "later" problem when you're shipping features. A penetration test (where someone is paid to try to break in) costs money nobody budgeted.Regular vulnerability scanning plus at least an annual penetration test, with a process that actually closes the findings and records the fix.
Outdated or thin security policy (CC5.3)The policy was copied from a template at incorporation and never touched again. Under SOC 2, a policy on its own is never enough.A current information security policy that's reviewed on a schedule, matches what you actually do day to day, and is paired with operating procedures and evidence that you follow them.
No formal change management (CC8.1)Small teams deploy informally. A thumbs-up in chat counts as approval. There's no record of who tested, approved, and shipped.A defined change process where meaningful changes are tested and approved before they go live, with a record of who requested, tested, approved, and deployed each one.

If you've ever read the Common Criteria (they're built on the COSO internal-control framework, the same backbone large companies use), these won't surprise you. CC3, CC7, CC8, and CC9 are exactly the areas where a young company has the least paper. That's no accident. The framework is testing operational discipline, and discipline is the last thing a 12-person team gets around to writing down.

Finding issues is the sign of a real audit

Here's the part nobody tells founders. If your auditor finds nothing on a first-time engagement, that's the thing to worry about, not the clean report.

Look at what the Delve situation surfaced in early 2026. An anonymous investigation alleged that 493 of 494 SOC 2 reports the firm issued were nearly identical, down to the same grammatical errors, and that all 259 Type II reports carried word-for-word identical auditor conclusions. The investigation alleged that reports were pre-populated before clients had submitted a single piece of evidence, and that risk assessments came pre-filled with defaults. Delve has denied the allegations, which remain contested. Set the specific company aside, because the pattern is the lesson on its own. That is the shape of a rubber-stamp audit at scale, and zero findings was the tell.

A real audit follows the standard called AT-C 205, which says just asking is never enough on its own. "Inquiry" is the audit word for asking you a question, and every control needs at least one corroborating procedure on top of it, meaning the auditor has to inspect something, watch it happen, or re-perform it to confirm your answer holds up. When someone actually tests your controls against the criteria, they will find the same first-timer gaps everyone has. Finding them is the work. A report with no exceptions on a first audit isn't proof you're secure. It's a sign that nobody looked very hard.

What a real finding actually reads like

Here is the difference in one control. A termination control (the process for cutting off access when someone leaves) on a rubber-stamp audit reads: "no exceptions noted." That sentence tells you nothing, because you can't see what was tested. A real finding reads more like this: we inspected 8 employee terminations during the period and found 1 where system access wasn't revoked within the 24 hours your own policy requires, so we tested the backup control and confirmed that no login was recorded for that account during the gap. One of those is a checkbox. The other is evidence that someone pulled the full list, sampled it, found the exception, and chased down whether it actually mattered.

The second version is more useful to you, and to the customer reading your report, and it's the version you only get when a real auditor does the work. The way to surface those findings before they cost you a deal is a mock exam run by an actual auditor, rather than a dashboard that only checks whether a policy file exists.

What this means for you

A 40-60% gap rate sounds alarming until you see how fast most of it closes. The gaps above are paperwork and process, not re-architecting your stack. In my experience the common ones get fixed in weeks, not months. Industry timelines put minor gaps at 1-2 weeks to audit-ready and a heavier load at 8-16 weeks, depending on how much you're starting from scratch.

So the move isn't to panic when the findings come back. It's to get the findings *early*, from someone who'll tell you the truth, and fix them before the observation window starts. That's the whole idea behind stress-testing first and verifying after.

Frequently asked questions

What are the most common SOC 2 gaps?
The five I find in nearly every first-time audit: no written, documented risk assessment, an incident response or recovery plan that was never tested, no regular vulnerability scanning or annual penetration test, an outdated security policy, and no formal change management process. They map to the AICPA Common Criteria CC3, CC7, CC8, and CC9, which are the areas where young companies have the least documentation.
What percentage of controls fail a first-time SOC 2?
A typical first-time SOC 2 flags 40-60% of the control areas we look at. Roughly half your controls getting flagged is normal, not a sign of a broken company. Industry estimates also hold that more than 70% of organizations would not pass a first-time Type I without doing a gap assessment first.
Is it bad if my auditor finds issues?
No, it's the opposite. A real audit pairs asking you questions with corroborating procedures, the auditor inspecting, observing, or re-performing things (this is the AT-C 205 standard), so it will surface the same first-timer gaps everyone has. The Delve situation, where 259 Type II reports allegedly carried word-for-word identical conclusions and Delve has denied the allegations, which remain contested, is a useful example of what a zero-finding audit can really be. If your auditor finds nothing on a first engagement, that's the warning sign.
What do auditors look for first?
On a first-time SOC 2 I look first at the foundational Common Criteria where new companies are thinnest: whether there's a documented risk assessment (CC3), whether change management is written down and followed (CC8.1), and whether incident response and continuity plans have actually been tested (CC7.1, CC9.1). These are process and evidence gaps, not deep technical ones, which is why they show up first.
How long does it take to fix common SOC 2 gaps?
Most first-time gaps are paperwork and process, not re-engineering, so they tend to close in weeks. Industry timelines put minor gaps at 1-2 weeks to audit-ready, with a heavier remediation load running 8-16 weeks depending on how much you're building from scratch. The key is finding the gaps early, before your observation period starts.

Keep reading

Sources
  1. AT-C 205: inquiry alone is never sufficient; every control needs at least one corroborating procedure (inspection, observation, reperformance).
  2. AICPA SOC for Service Organizations: a SOC 2 examines controls against the Trust Services Criteria and produces the CPA's report.
  3. Journal of Accountancy: promises of 'fast and easy' threaten SOC credibility.