A recent Linford & Co analysis of SOC 2 examinations conducted throughout 2025 highlights four consistent areas where organisations continue to fall short, access control weaknesses, incomplete or unreliable evidence, weak vendor oversight, and gaps in change management processes. These recurring themes, which I have also experienced personally many times over, should raise alarms for IT audit, compliance and technology risk leaders preparing for 2026.
While SOC 2 frameworks are not new, the environments they assess, cloud platforms, distributed workforces, SaaS ecosystems and automated operations, have evolved quickly. That evolution is outpacing the maturity of many control environments.
Access-Control Weaknesses Remain the #1 Root Cause
Linford & Co note that access control gaps continue to dominate SOC 2 findings. The most common failures include:
-
Untimely or inconsistent user-access reviews
-
Incomplete documentation showing who approved access changes
-
Orphaned accounts persisting after offboarding
-
Weak privileged-access governance (e.g., no MFA exemptions logged, shared admin accounts)
For ITGC and SOX style programmes, these weaknesses map directly into higher risk of unauthorised activity, mis-stated system changes, and inadequate audit trails.
Why it matters:
Access controls remain foundational to every security and audit framework. Persistent gaps here signal process immaturity, and undermine confidence in more advanced controls.
Incomplete or Unreliable Evidence Across Controls
Another major issue reported is the quality of evidence collected to demonstrate control execution. Examples include:
-
Screenshots without timestamps or user attribution
-
Missing backup logs
-
Unverified system reports with no audit trail
-
Lack of evidence showing management review occurred
For auditors, weak evidence means failed controls, even if the organisation believes the control was properly executed.
The audit insight:
Evidence quality is becoming just as important as control design. Audit-ready documentation is now a competency in itself.
Vendor Risk Governance Is Often Immature
Third-party and fourth-party dependencies are expanding rapidly, but vendor governance is not keeping pace. Linford & Co highlight common gaps such as:
-
SOC reports not reviewed or documented
-
Vendor risks not tracked or ranked
-
Missing remediation follow-ups on vendor exceptions
-
Poor visibility into subcontractors (4th parties)
This is of particular concern in cloud-native or SaaS-heavy environments where critical business processes reside outside internal infrastructure.
The risk implication:
You can outsource a function, but you can’t outsource accountability. Weak vendor oversight can invalidate otherwise strong internal controls.
Change-Management Documentation Is Still a Pain Point
Change-management findings are widespread, especially around:
- Missing approvals for production changes
- Unclear separation between development and production
- Incomplete testing or missing test evidence
- Lack of versioning or rollback documentation
Given the growth of DevOps and infrastructure-as-code, the documentation burden grows—but many teams still rely on informal or ad-hoc processes.
The ITGC angle:
Incomplete change management remains one of the fastest paths to material misstatement, system outages or hidden vulnerabilities.
What IT Audit and Risk Leaders Should Do Next
The lessons from Linford & Co’s 2025 SOC 2 review map neatly into practical actions for 2026:
1. Strengthen evidence standards
Define minimum documentation requirements, timestamps, approver identity, system of record references, and actually enforce them consistently.
2. Make access-control hygiene a quarterly discipline
Don’t wait for annual reviews. Automate where possible, especially for joiner/mover/leaver processes.
3. Formalise vendor risk governance
Track third-party risks, document SOC report reviews, and maintain remediation logs. Treat your ecosystem as part of your control environment.
4. Modernise change management
Adopt structured DevOps aligned processes with clear approval flows and automated evidence capture.
Closing Insight & Call to Action
SOC 2 gaps are not simply compliance issues, they are signals of deeper control weaknesses that will impact ITGC maturity, SOX readiness, and technology risk resilience.
By addressing access governance, documentation quality, vendor oversight and change-management discipline today, organisations can enter 2026 with stronger audit confidence and reduced operational risk.
