Got a SOC2 Qualified Opinion? Here’s What to Do in the Next 72 Hours
A qualified opinion is not the end of your compliance program. It is a specific signal about specific controls. What you do in the next 72 hours — who you brief, what you review, what you do not say yet — determines whether this becomes a manageable remediation or a deal-killing crisis.
Read the exceptions section of the report in full. Write down exactly which controls failed and what evidence was missing. This is the only thing that matters right now.
Brief your CEO and Legal — not IT, not Sales, not customers yet. This is a legal and executive decision before it is an operational one.
Review every enterprise customer contract that references SOC2, information security obligations, or material security incidents. Flag any that require notification.
Do NOT engage your original auditor for remediation guidance. They have an independence conflict. You need a separate firm.
Do NOT send your current SOC2 report to prospects who are actively in procurement review. Pause those conversations while you assess the impact of the exceptions.
Contact a remediation specialist or a different audit firm for an initial scoping call. Get a timeline and cost estimate before committing to any customer-facing communications.
What a Qualified Opinion Actually Means
A qualified opinion means the auditor found that specific controls did not operate effectively during the observation period. The report identifies which Trust Services Criteria were affected and what exceptions were found. Everything else in the report — the controls that did pass, the system description, the auditor procedures — remains valid.
This is categorically different from an adverse opinion (which means the controls broadly failed and the report cannot be relied upon) or a disclaimer of opinion (which means the auditor could not obtain enough evidence to form an opinion). Those are rare and severe. Qualified opinions are much more common and much more recoverable.
What enterprise customers actually do when they receive a qualified opinion report from a vendor:
Read the exceptions section carefully
Sophisticated procurement teams read the exceptions, not just the opinion type. A single exception for quarterly access reviews not being documented is very different from exceptions for encryption not being implemented.
Assess severity and scope
If the exception is administrative (documentation missing for a control that exists) vs. operational (the control was simply not implemented), buyers weight these very differently. Operational failures are more concerning.
Ask for a remediation plan
Most enterprise security teams will ask: what failed, what did you do about it, and when will you have a clean opinion? Having a concrete written remediation plan significantly improves deal survival.
Escalate if contractually required
Some MSAs and DPAs require notification within 30–90 days of a material security finding. Legal must review before sales takes over the communication.
See the 10 most common SOC2 control failures to understand what your exceptions likely are and how to remediate them.
Communicating With Your Customers
Three scenarios, three different approaches. Use these scripts as a starting point — review with legal before sending anything.
Customers who have not asked for your SOC2 report
Do not proactively disclose unless your contracts require it. Update your Trust Center with the current report (with NDA requirement). If asked directly, answer honestly. Proactive disclosure to customers who have not asked creates confusion and concern where none existed.
Customers who ask directly for your current SOC2 report
Provide the report under NDA as normal. If the customer asks about the qualified opinion, respond with: "We received exceptions on [specific controls] during our [period] observation period. We have completed remediation of [describe what you fixed] and are currently in a new observation period. We expect an unqualified opinion on our next report, which we anticipate issuing in [timeframe]. I am happy to walk you through the specific exceptions and our remediation steps if that would be useful." Do not minimize. Do not over-explain. Offer specifics if they want them.
Customers who have contracts requiring an unqualified opinion
This is a legal matter first. Your contract may say you are in breach, or it may give you a cure period, or it may be silent on cure. Do not respond to the customer until legal has reviewed the specific contract language. Options typically include: negotiate a cure period, provide a remediation timeline and interim compensating controls attestation, or escalate to your insurance carrier if the contract breach triggers coverage.
The Remediation Path
Remediation is not just fixing the controls — it is demonstrating to a new auditor that the controls now operate effectively over a sustained period. The observation period matters.
Fix the specific controls cited in the exceptions. This means implementing the process, documenting it, and collecting evidence that it operated as intended. Access reviews need to be performed and documented. Change management needs approved tickets. Training needs completion records.
After fixing the controls, you need a period where the new or corrected controls operate continuously. Auditors need to test whether the control works over time, not just on day one after you fixed it. The minimum meaningful observation period for remediated controls is 3 months; 6 months is standard.
A different audit firm performs the new engagement. They test the previously-failed controls with heightened scrutiny. If the remediation was thorough and the observation period was sufficient, the new report reflects an unqualified opinion covering the new period.
Total realistic timeline: 3–9 months from receiving the qualified opinion to issuing a new clean report. More structural failures (encryption gaps, missing security program infrastructure) skew toward 9 months. Documentation-only failures (quarterly reviews not evidenced) can be resolved in 3–4 months.
Choosing a Remediation Auditor
You cannot use your original auditor for the remediation audit. This is an AICPA independence requirement: an auditor cannot re-test exceptions they previously identified because their objectivity is compromised. This rule applies even if your original auditor was excellent and you have a good relationship.
What to look for in a remediation specialist:
Experience with post-qualified-opinion re-audits specifically — ask directly how many they have handled
Willingness to provide a written remediation roadmap before starting the audit engagement
Clear communication about what will and will not constitute sufficient evidence for remediated controls
Reasonable timeline expectations — be skeptical of any firm promising a clean opinion in under 3 months
AICPA-licensed CPA firm — verify their license independently, not from their own website
Use the SOC2 auditor directory to find firms with experience in remediation engagements.
Preventing It Next Time
Most qualified opinions come from the same handful of control failures. After remediation, put calendar reminders for these specifically:
Access reviews
Monthly calendar event, documented output required. Do not let this slip to quarterly without formal SLA documented in policy.
Terminated employee access
HR offboarding checklist must include IT access revocation confirmation within 24 hours. Log every termination.
Security awareness training
Annual training completion logged in LMS with completion date per employee. Pull the report quarterly.
Change management approvals
Every production deployment needs a ticket with approval history. Enforce at the tooling level, not just policy.
Vendor reviews
Annual calendar event to pull SOC2 reports from critical subservice organizations and document your review.
Incident log maintenance
Every incident — even minor ones — needs a dated entry. An empty incident log is itself a finding.
For a deeper look at all 10 of the most common failures, see the SOC2 control failures guide.
Frequently Asked Questions
Is a qualified SOC2 opinion the same as failing the audit?
No. A qualified opinion means that most of your controls were tested and found effective, but one or more specific controls had exceptions — meaning the auditor found evidence that the control did not operate as described during the observation period. It is not a binary pass/fail. The report is still valid and still demonstrates a significant compliance effort. The exceptions section of the report tells you exactly what failed. Many companies with qualified opinions still win enterprise deals because buyers evaluate the severity and scope of exceptions, not just the opinion type.
Do I have to tell my existing customers about a qualified opinion?
It depends on your contracts. Review every enterprise contract that references SOC2 or information security requirements. Some contracts require notification of material security findings — a qualified opinion likely qualifies. Others simply require you to maintain SOC2 and provide a current report on request; in that case, you fulfill the obligation by providing the report with the qualified opinion attached. When in doubt, consult your legal counsel before disclosing or withholding.
How long does it take to remediate a qualified opinion?
The remediation timeline depends entirely on the nature of the exceptions. Access control failures (terminated employee access, quarterly reviews not performed) can be remediated in 30–60 days. Policy gaps can be closed in 2–4 weeks. More structural issues — like change management processes that were never implemented, or encryption gaps requiring infrastructure changes — can take 3–6 months. After remediation, you need a new observation period (typically 6–12 months) before a new audit can confirm the exceptions are resolved.
Can my original auditor perform the remediation audit?
Your original auditor can provide guidance on what needs to be fixed, but they have an independence conflict that prevents them from auditing the remediation of exceptions they previously identified. You need a different audit firm to perform the re-testing or a new audit engagement. This is an AICPA independence requirement, not a preference. Some consulting firms specialize in exactly this — post-qualified-opinion remediation and re-audit coordination.
Will a qualified opinion appear in a future clean report?
No. Each SOC2 report covers its own observation period independently. If you remediate the exceptions and complete a new audit with a different auditor, the new report will reflect the new observation period and the controls as they operated during that period. Buyers reviewing your new report will see an unqualified opinion. Your prior qualified opinion report does not appear in or annotate the new report — though some buyers may ask whether you have had prior qualified opinions, which you should answer honestly.