How It WorksPricingBlogStart Free Trial
All answers

What happens if I miss evidence during my SOC 2 observation period?

March 6, 20262 min readFirst-Time SOC 2

What Happens When Evidence Is Missing

When an auditor can't find evidence for a control during the observation period, they record an exception. An exception means the control didn't operate as described in your policy for that instance.

Exception Severity

SituationImpact
Missed one quarterly access reviewMinor exception — unlikely to affect opinion
Skipped access review for the entire periodMajor exception — affects opinion
One hotfix without documentationMinor exception — normal for startups
Multiple undocumented direct pushes to mainPattern of control failure
Missing incident response for a known incidentSerious — control design questioned
No evidence for an entire control areaMay result in qualified opinion

Will It Cause a Qualified Opinion?

One or two isolated exceptions typically don't cause a qualified opinion. Auditors use professional judgment: Was this an isolated oversight or a systemic failure?

Isolated exception: "We missed the Q2 access review because the CTO was on leave, but Q1, Q3, and Q4 reviews were completed."

Systemic failure: "We wrote a policy saying quarterly access reviews but never conducted any."

How to Prevent Missing Evidence

  1. Calendar reminders: Set quarterly reminders for access reviews, vendor reviews, and policy updates
  2. Evidence checklist: Maintain a list of recurring evidence tasks with due dates
  3. Early collection: Start collecting evidence from day one of the observation period
  4. Automation: Use tools that continuously collect evidence rather than relying on manual snapshots

What to Do If You Already Missed Something

  • Don't fabricate evidence. Backdating screenshots or creating fake review documents is worse than the original gap.
  • Document the gap. Write down what was missed, why, and what you've done to prevent it from happening again.
  • Discuss with your auditor. They may have suggestions for compensating evidence or alternative procedures.
  • Fix the process. Implement the calendar reminders and checklists so it doesn't happen again.

Related Questions

First-Time SOC 2

Can I use my SOC 2 report to skip security questionnaires?

A SOC 2 report reduces security questionnaire burden by 60-80% but doesn't eliminate questionnaires entirely. Most enterprise buyers accept a SOC 2 report in place of detailed control questions, but still ask about data handling specifics, incident history, and business continuity that SOC 2 doesn't fully cover.

First-Time SOC 2

How do I collect SOC 2 evidence across multiple engineering teams?

Collecting SOC 2 evidence across multiple teams requires standardized branch protection rules, consistent access control policies, a shared evidence library, and a designated compliance coordinator. Use the same GitHub settings, CI pipelines, and access review processes across all teams to simplify evidence collection.

First-Time SOC 2

How do I handle emergency changes and hotfixes during a SOC 2 observation period?

Emergency changes during a SOC 2 observation period are acceptable if you document them properly. Create a post-deployment PR within 24 hours, record the justification for bypassing normal review, and get retroactive approval. Having 2-3 documented emergency changes during an observation period won't cause audit findings.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.