3 experts weigh in: How to navigate common security audit challenges 

Today’s security leaders face a formidable challenge. The digital landscape is no longer a simple terrain of firewalls and password policies; it’s now a complex ecosystem where every access point, every system update, and every operational procedure represents a potential vulnerability.

The evolving nature of security risks

Modern organizations operate in a world where technology transforms faster than security protocols can adapt. Cloud applications, distributed workforces, and interconnected systems have dramatically expanded the attack surface, making traditional security approaches obsolete. This new reality demands a more nuanced, proactive approach to security audits.

We analyzed thousands of audits from the past few years and identified the top 5 challenges experienced during SOC 2 audits:

1. Access deprovisioning
2. Vulnerability remediation
3. Access reviews
4. Infrastructure patching
5. Segregation of duties

We asked some of our in-house security leaders for their best advice on avoiding and managing these challenges for a smoother SOC 2 audit experience. But first…

Meet the experts

• Jay Trinckes, Data Protection Officer/CISO at Thoropass, has two decades of experience in cybersecurity and privacy. He advises organizations on security and privacy issues and specializes in privacy, healthcare, medical devices, government, banking and credit unions, and regulatory requirements, including HITRUST, HIPAA, GDPR, and CCPR/CCPA.
• Matt Udicious, Director, InfoSec at Thoropass, is a seasoned InfoSec Assurance Professional with over a decade of experience in cybersecurity, specializing in security, auditing, and compliance. His journey in the field began with a solid foundation, earning a degree in Business Information Technology with a focus on Decision Support Systems from Virginia Tech.
• Tom Miller, Senior Manager, Infosec Assurance at Thoropass, is an experienced information security professional with certifications as a CPA and CISA. Tom has over 8 years of experience working as an IT auditor at a Big Four and for a top 25 firm in the US. 

Read on for their top tips and expert advice.

Five common challenges experienced during infosec security audits 

1. Access Deprovisioning

Employee transitions—whether through termination, role changes, or departmental shifts—create invisible security gaps. The challenge extends beyond mere technical capability—it’s fundamentally about organizational communication and process. 

Here is what our experts have to say:

Assign owners and establish a tracking system 

Jay: Access deprovisioning is a challenge when people leave your organization or if they transfer to other departments.  With most organizations leveraging cloud-based applications, ensuring users are removed from access when no longer required may become even harder. 

At Thoropass, one way to mitigate the risks posed by individuals having unnecessary access to resources is by ensuring all resources (like applications) are assigned an owner and a system administrator (or point of contact). The owner is the manager responsible for the application. They approve access, modifications, or deletions of user access. The system administrator abides by the owner’s directions in providing access, changing privileges (as needed), or deleting a user when access is no longer required. 

Establishing a tracking system for these changes and deleting access is imperative to maintain appropriate access levels. A huge benefit comes if the application integrates with your existing Single Sign-on solution (or with your existing Identity Provider). You can then control access to the application from a centrally managed source, which may alleviate any gaps in communications or changes in employment status. 

When access is terminated within this solution, access to the application is automatically prevented. Another good practice is to ensure terminated or inactive accounts are removed per your policy.

Timely communication of terminations is essential

Tom: One of the biggest risks with access termination controls lies not in IT’s ability to deactivate access promptly but in the timely communication of terminations. Often, the process breaks down because the employee’s manager fails to notify IT quickly enough, leaving a critical gap in the control. This highlights the importance of clear, efficient communication channels between HR, management, and IT to mitigate the risk of unauthorized access.

How Thoropass helps facilitate successful access deprovisioning

Matt: Organizations can leverage the Thoropass platform to effectively monitor and manage user access, promptly removing unnecessary access. By utilizing the people table in conjunction with compliance roadmaps and associated tasks, Thoropass simplifies the de-provisioning process. Removing access for users who no longer require it is critical in mitigating risks and strengthening security. Additionally, many organizations are adopting temporary access controls for privileged rights, enhancing access control programs, and reinforcing a more robust security posture.

2. Vulnerability Remediation

Identifying vulnerabilities is merely the first step in a complex security journey. The true challenge lies in prioritizing, documenting, and systematically addressing these potential risks.

Here is what our experts have to say:

Good documentation is key

Tom: While vulnerability scanners effectively identify issues promptly, a critical gap often lies in the lack of documentation to confirm that vulnerabilities were assessed at the time of discovery. Without proper records, it becomes difficult to ensure compliance with policies that mandate remediation within specific timeframes based on severity. This underscores the need for robust processes that identify vulnerabilities and track and document their timely evaluation and remediation.

Jay: Tracking vulnerabilities through a ticketing system can help ensure that remediation efforts are appropriately followed. 

Prioritizing vulnerabilities and allocating appropriate resources go a long way in managing vulnerabilities. Having a formal exception process in place for vulnerabilities that can’t be mitigated in the appropriate time frame enhances your accountability to security.

Build a proactive vulnerability management process

Matt: Vulnerabilities can arise in both infrastructure and software, requiring organizations to monitor, assess, and address them proactively. Effective vulnerability management involves identifying new vulnerabilities, prioritizing them based on risk, and taking timely action to remediate them. 

Thoropass integrates with third-party tools, enabling users to detect vulnerabilities, initiate real-time remediation, and document them within the risk management platform for future mitigation efforts. This streamlined approach enhances an organization’s ability to efficiently manage vulnerabilities and reduce risk.

3. Access Reviews

Traditional access reviews often devolve into perfunctory exercises that miss critical security nuances. A comprehensive review must look beyond mere employment status and examine the alignment of access permissions with current roles and responsibilities.

Here is what our experts have to say:

Take a staggered approach to access reviews

Jay: Access reviews can be challenging, depending on how many applications your organization utilizes. Even for smaller organizations, application counts can rise to at least one application per individual on staff. Implementing some of the recommendations provided in the first item of overcoming Access Deprovisioning challenges may assist in making access reviews easier. 

Consider prioritizing your applications. Applications could be categorized by their criticality (how much they are needed or used to run business operations) and by their risks (generally based on the type of data being processed). One way to approach this is to implement a ‘staggered’ approach to access reviews based on your own risk profiles to cover all of your applications but alleviate some of the work on your points of contact responsible for doing the reviews. Ensure your policies/procedures match your activity, and don’t over-promise tasks within your policies that you can’t meet.

For audit purposes, concentrate on the scope of applications since not all applications you use may fall under the audit scope. You may also have to coordinate multiple folks to assist in the reviews since the reviewers may have a partial picture of all those users needing access to a particular application. Having a solution in place to assist in tracking access and maintaining this logging over time can help make access reviews more efficient. For example, the first access review of the year may take a little longer, but if no changes were made over a certain period (or if you just review the ‘deltas’ of any changes), the subsequent reviews take less time.

Make sure you have the right protocols in place

Matt: Ensuring proper access control protocols prevents users from retaining unnecessary access to systems. This supports the principle of least privilege and reduces the risk of unauthorized access. 

With the right automation, organizations can efficiently manage access reviews across third-party vendors and in-scope production systems, providing a comprehensive view of review statuses. For example, with Thoropass, organizations can enable the delegation of system-specific reviews to multiple owners right in the platform, streamlining the process. Centralizing access reviews in Thoropass simplifies execution, ensures consistency, and makes recurring reviews more efficient once the scope is clearly defined.

Avoid common pitfalls such as critical systems or technology oversights

Tom: A common risk in access review controls is the oversight of critical systems or technologies. For example, a control owner might review access to the AWS console and IAM but fail to include local access to a Postgres database that operates outside IAM authorizations. 

Additionally, access reviews often focus solely on whether the user is still employed or not with the organization, neglecting to assess whether the assigned permissions and roles align with the user’s current responsibilities. These gaps highlight the importance of comprehensive scope and detailed evaluation in access reviews.

4. Infrastructure Patching

In a world of relentless vulnerabilities, infrastructure patching is not just a task but an ongoing strategic initiative. Organizations must develop a dynamic, responsive approach to system updates.

Here is what our experts have to say:

Incorporate automation into ALL patching configurations

Tom: Automated patching configurations are an effective way to schedule updates and reduce the risk of human error. However, during audits, we often find that certain infrastructure falls outside the centralized configuration, leaving siloed servers noncompliant with the patching process. 

This creates critical gaps that undermine the overall effectiveness of the patching strategy. Ensuring all systems are integrated into the automated process is key to maintaining a consistent security posture.

Maintain good records and test patches prior to implementation

Jay: Ensure you have a good idea of the assets within your infrastructure. This may include a software bill of materials (in case you are developing your own software) or a complete inventory of all resources within your infrastructure. 

Luckily, most organizations have gone to the cloud and keeping track of resources becomes a little bit easier. Utilizing base images when deploying your resources tends to also help keep your systems secure since these base images are consistently updated/patched. Knowing what versions of all software you are operating and running these versions against vulnerability databases to uncover issues is good practice as well as automating these tasks through automated scanner solutions. 

Ensuring patches are appropriately tested before implementation and rolling patches out strategically helps identify issues in a small batch of systems before rolling them out to the entire infrastructure. Identifying what systems you might have enabled automated patching enabled versus those you may need to update manually is important.

How Thoropass can help you avoid unpatched systems

Matt: Patching infrastructure is essential for maintaining a strong security posture and safeguarding systems against known vulnerabilities and exploits. Unpatched systems are a common target for attackers, increasing the risk of data breaches, service disruptions, and reputational damage. Regular patching protects sensitive data and demonstrates an organization’s dedication to proactive security practices. 

With Thoropass, organizations can seamlessly integrate their infrastructure to receive real-time insights on system versions, alerts for end-of-life risks, and notifications of available updates. By prioritizing patch management, organizations reduce security risks, enhance compliance efforts, and build greater trust with customers and stakeholders.

5. Segregation of Duties

Preventing internal risks requires more than technological controls. It demands a fundamental reimagining of how responsibilities are distributed and monitored.

Segregation of Duties is a concept ensuring their are checks and balances to operations or activities within an organization. For instance, there needs to be a segregation of duties between individuals auditing the organization and those implementing controls in the organization. 

Here is what our experts have to say:

Ensure at least two individuals are involved in riskier activities

Jay: Segregation of Duties is important to maintain systems’ integrity and minimize conflicts of interest. To implement segregation of duties, you first must look at the activity or process flows of certain tasks. If there aren’t at least two individuals involved in certain riskier activities, then you probably have an opportunity to proactively address issues with segregation of duties.

Implement file integrity monitoring to prevent unauthorized deployment

Tom: Segregation of duties between developers and those responsible for deploying changes is a critical control, yet it’s not uncommon to find individuals with both deployment access and development expertise. 

This creates a risk where one person could develop and deploy their changes without oversight. Effective mitigations include implementing file integrity monitoring to detect unauthorized actions or establishing non-bypassable workflows that enforce separation throughout the development-to-deployment lifecycle. These measures help ensure proper controls are maintained, and risks are minimized.

How Thoropass can support Segregation of Duties  

Matt: Segregation of duties is crucial in change management to ensure that no single individual has unchecked control over the entire process, which helps prevent errors, fraud, and unauthorized changes. 

By separating roles, such as development, testing, and approval, organizations create a system of checks and balances that enhances accountability and reduces risks. Organizations can use Thoropass integrations and workflows to validate that changes undergo appropriate approval and testing workflows before being deployed to new environments.

The path forward: Integrated and adaptive security

Successful security audit leadership is no longer about maintaining static defenses. It’s about creating adaptive, intelligent systems that anticipate, detect, and respond to evolving threats.

According to our experts, to avoid common challenges experienced in the audit process, this will require proactive measures such as:

• Continuous learning and adaptation
• Investment in integrated security platforms
• A culture of proactive risk management
• Cross-functional collaboration

Security audits are not a compliance checkbox but a critical business strategy. Organizations can transform potential vulnerabilities into opportunities for enhanced resilience and trust by addressing these five core challenges with sophistication and foresight.

---