SOC 2 Guide

What Does a First-Time SOC 2 Audit Actually Find?

Yuanlun Yin, CPA · Texas & California · Y Assurance PLLC · Updated June 3, 2026
First-time SOC 2 audits typically surface a 40-60% control gap rate. The five gaps I find almost every time: no formal risk assessment, no tested incident response or BCP/DR, no vulnerability scanning or pen testing, an outdated security policy, and no formal change management. Finding issues is normal, fixable in weeks.

Why first-timers have gaps (and why that's normal)

I spent five years doing SOC 2 fieldwork at a Big 4 firm before I started my own. In that time I sat across the table from a lot of companies opening their first audit, and the pattern almost never changes. You built a product. You shipped fast. You hired for engineering, not for an audit program. So when the auditor shows up, the controls a SOC 2 cares about either live in someone's head or don't exist on paper yet.

That's not a moral failure. It's the default state of a company that's been busy building the thing customers actually pay for. The numbers back this up. KirkpatrickPrice, an audit firm that publishes its findings, reports that for most organizations completing a SOC 2 for the first time, the typical gap rate runs 40-60% of assessed control areas. Industry estimates also hold that more than 70% of organizations fail a first-time SOC 2 Type I without doing a gap assessment first. So if your readiness review comes back with half your controls flagged, you are not an outlier. You are exactly average.

What trips people up is that the controls usually aren't *missing* in spirit. You probably do review access. You probably do patch things. The gap is that SOC 2 is graded on evidence and consistency, not intent. A control that exists in practice but was never written down, never assigned an owner, and never run on a schedule is, to an auditor, a gap.

The five gaps I find almost every time

These five show up in nearly every first-time engagement I've worked. Each maps to a specific AICPA Common Criterion, so this isn't a vibe — it's where the Trust Services Criteria reliably catch new companies.

GapWhy it happensWhat "good" looks like
No formal risk assessment (CC3)Founders carry the risks in their heads. Nobody ever sat down and wrote a documented, repeatable assessment. It's the single most common gap I see.A written risk assessment that's run at least annually, identifies real threats to your systems and data, and feeds decisions you can show. Not a one-time PDF that dies in a drive.
Untested incident response / no BCP-DR test (CC7.1, CC9.1)Teams assume "we'd figure it out." A plan may exist, but it was never exercised, so there's no evidence it works.A documented incident response and business continuity / disaster recovery plan that has been *tested* at least once, with the test and its results written down.
No vulnerability scanning or pen testing (CC7.1)Scanning feels like a "later" problem when you're shipping features. Pen tests cost money nobody budgeted.Regular vulnerability scanning plus at least an annual penetration test, with a remediation process that actually closes findings and documents the fix.
Outdated or thin security policy (CC5.3)The policy was copied from a template at incorporation and never touched again. A policy alone is never enough under SOC 2.A current information security policy that's reviewed on a schedule, matches what you actually do, and is paired with operating procedures and evidence.
No formal change management (CC8.1)Small teams deploy informally — a Slack thumbs-up counts as approval. There's no record of who tested, approved, and shipped.A defined change process where material changes are tested and approved before production, with a record of requester, tester, approver, and deployer.

If you've ever read the COSO-derived Common Criteria, these won't surprise you. CC3, CC7, CC8, and CC9 are exactly the areas where a young company has the least paper. That's by design — the framework is testing operational discipline, and discipline is the last thing a 12-person team formalizes.

Finding issues is the sign of a real audit

Here's the part nobody tells founders. If your auditor finds nothing on a first-time engagement, that's the red flag — not the clean report.

Look at what the Delve scandal exposed in early 2026. An anonymous investigation alleged that 493 of 494 SOC 2 reports the firm issued were nearly identical, down to the same grammatical errors, and that all 259 Type II reports carried word-for-word identical auditor conclusions. Reports were allegedly pre-populated before clients submitted a single piece of evidence. Risk assessments came pre-filled with defaults. That is what a stamp audit looks like at industrial scale — and zero findings was the tell.

A real audit applies AT-C 205: inquiry is never enough on its own, and every control needs at least one corroborating procedure. When someone actually tests your controls against the Trust Services Criteria, they will find the same first-timer gaps everyone has. Finding them is the work. A report with no exceptions on a first audit isn't proof you're secure. It's proof nobody looked.

What this means for you

A 40-60% gap rate sounds alarming until you see how fast most of it closes. The gaps above are paperwork and process, not re-architecting your stack. In my experience the common ones get remediated in weeks, not months — industry timelines put minor gaps at 1-2 weeks to audit-ready and a heavier load at 8-16 weeks, depending on how much you're starting from scratch.

So the move isn't to panic when the findings come back. It's to get the findings *early*, from someone who'll tell you the truth, and fix them before the observation window starts. That's the whole point of stress-testing first and verifying after.

If you want to know which of these five you're carrying right now, the honest way to find out is to have someone look. Book a call and we'll walk your actual stack — no template checklist, no black box.

“If your auditor finds nothing on your first SOC 2, that's the red flag — not the clean report. Finding the gaps is the work.”

Frequently asked questions

What are the most common SOC 2 gaps?
The five I find in nearly every first-time audit: no formal documented risk assessment, an incident response or BCP/DR plan that was never tested, no regular vulnerability scanning or annual penetration test, an outdated security policy, and no formal change management process. They map to AICPA Common Criteria CC3, CC7, CC8, and CC9 — the areas where young companies have the least documentation.
What percentage of controls fail a first-time SOC 2?
Audit firm KirkpatrickPrice reports a typical gap rate of 40-60% of assessed control areas on a first-time SOC 2. Roughly half your controls getting flagged is normal, not a sign of a broken company. Industry estimates also hold that more than 70% of organizations fail a first-time Type I without first doing a gap assessment.
Is it bad if my auditor finds issues?
No — it's the opposite. A real audit applies inquiry plus corroborating procedures (AT-C 205), so it will surface the same first-timer gaps everyone has. The Delve scandal showed what zero-finding audits actually were: 259 Type II reports with word-for-word identical conclusions. If your auditor finds nothing on a first engagement, that's the warning sign.
What do auditors look for first?
On a first-time SOC 2 I look first at the foundational Common Criteria where new companies are thinnest: whether there's a documented risk assessment (CC3), whether change management is formalized (CC8.1), and whether incident response and continuity plans have actually been tested (CC7.1, CC9.1). These are process and evidence gaps, not deep technical ones, which is why they show up first.
How long does it take to fix common SOC 2 gaps?
Most first-time gaps are paperwork and process, not re-engineering, so they close in weeks. Industry timelines put minor gaps at 1-2 weeks to audit-ready, with a heavier remediation load running 8-16 weeks depending on how much you're building from scratch. The key is finding the gaps early, before your observation period starts.

Keep reading

What is SOC 2?
What SOC 2 is, what it costs, and how to get a real one.
Can a solo founder pass SOC 2?
How a one-person company passes, and how controls get right-sized.
What is a stamp audit?
How box-checking audits happen, and how to spot one.
What is vibe compliance?
Compliance that looks finished on paper but was never tested.
Is your auditor a real CPA?
Two steps to confirm your SOC 2 auditor is a licensed CPA.

Want a SOC 2 that actually holds up?

Get a fixed price in two minutes, or talk to the CPA who would run your engagement.

See pricing →Book a call →

Sources

  1. For most organizations completing a SOC 2 for the first time, the typical gap rate is 40-60% of assessed control areas.
  2. The 10 most common SOC 2 gaps include risk assessment, business continuity / incident response, network scanning and penetration testing, information security policy, change management, and vendor management.
  3. More than 70% of organizations fail to pass a first-time SOC 2 Type I audit without a prior gap assessment; common gaps include risk assessment, incident response, and vendor management.
  4. Weak/informal change management, irregular vulnerability scanning and missing annual penetration testing, and untested business continuity plans are frequent first-time SOC 2 gaps.
  5. AICPA Trust Services Criteria map risk assessment to CC3, system operations / incident response to CC7, change management to CC8.1, and risk mitigation / vendor management to CC9.
  6. In the Delve scandal, 493 of 494 SOC 2 reports examined were nearly identical and all 259 Type II reports contained word-for-word identical auditor conclusions, with reports allegedly pre-populated before clients submitted evidence.
  7. Remediation of identified SOC 2 gaps typically takes 8-16 weeks; minor gaps can be audit-ready in 1-2 weeks.
  8. SOC 2 audit costs range roughly from $7,000 to $100,000 depending on scope and Type, with most startups falling in the $20,000-$60,000 range.