Calgary in March is mud. The snow at the foothills is melting. The Stampede grounds are reappearing from under their winter cover. The Flames either made the playoffs or didn't, and the answer to that question shapes the mood of about four million downtown coffee meetings. This is also the time of year when mid-market auditors finalize the findings from work they did in November, and the patterns repeat enough that I can predict the top five gaps before you tell me which engagement you ran.
Across SOX, SOC 2, ISO and PCI engagements, the same five mid-market gaps show up year after year. What that tells you about where to invest attention.
(The gap an auditor flags in March is almost always the same gap they flagged in March 2024, which the operator promised in April 2024 to close by August 2024.)
But there's a pattern in what the auditors keep flagging, regardless of which framework they're auditing against. Same five gaps, year after year, across most mid-market operators. They show up because they're hard to close, not because they're hard to notice. Worth knowing what they are.
The five gaps
1. User access reviews that happen but don't actually reconcile. Almost every mid-market operator runs quarterly access reviews. Almost none of them actually catch the meaningful issues - the inherited permissions from a role someone moved out of three years ago, the service account that picked up admin rights for a one-time project, the contractor who left but whose access didn't. The reviews happen because they're required. The reconciliation doesn't happen because it's tedious. Auditors flag it every time.
2. Change management that lives on memory and Slack. The documented change process says one thing. The actual changes show up in production through a mix of pull requests, hotfixes, vendor-pushed updates, and "I just made the small fix" Slack messages. The audit asks for evidence of approved changes; the operator provides what they have; the auditor identifies the gap. Same finding, year after year.
3. Vendor management that isn't actually tracked. The list of third parties with access to the environment is a moving target that nobody owns. The contracts get signed, the integrations get built, the people who built them leave, the documentation doesn't get updated. The next audit asks for the current vendor inventory and the answer is "let me get back to you on that."
4. Logging that exists but isn't reviewed. Security tooling generates logs. The logs accumulate. The runbook says they get reviewed. The actual review happens when there's an incident, which is too late. The auditor asks for evidence of regular review and finds it doesn't exist. The fix isn't more logging; it's a workflow where someone owns the review on a defined cadence.
5. Disaster recovery plans that haven't been tested. The document exists. The recovery time objective is stated. The plan looks reasonable. Nobody has tested it end-to-end. The first time it gets exercised is in an incident, when it's the wrong time to find out which assumptions don't hold.
What this means
These five aren't unknown. Every audit report mentions them. Every leadership team has discussed them. The reason they persist is that they require sustained operational discipline rather than one-time implementation, and most mid-market operators don't have a function whose job it is to maintain that discipline.
The companies that close these gaps and keep them closed have one thing in common: an explicit operational owner for each one. Not a process owner who writes the policy and then walks away. An owner who runs the access review and signs the reconciliation. An owner who tracks the change log against what shipped. An owner who maintains the vendor inventory monthly. An owner who reads the logs on a Friday and writes a one-pager.
The work isn't glamorous. It compounds. The operator who has this in place by their next audit will look meaningfully different than the operator who treats audit prep as a four-week sprint each year.
The auditors will tell you the same thing if you ask them off the record.
This issue of the Operator's Brief is operator pattern recognition from Vencer Group's work with mid-market businesses across industries and geographies. Not industry-specific advice. Read accordingly.
Notes & Methodology
About these figures: This Operator's Brief is a monthly Calgary-rooted, internationally delivered mid-market business observation from Vencer Group. Patterns and trends described reflect Vencer Group's operating experience across mid-market Canadian energy clients - service operators, E&P companies, midstream, and energy services in the 25-300 person range. Industry references (regulatory changes, market events, threat landscape shifts) are drawn from publicly reported sources cited inline where applicable. Specific cost ranges, percentages, and timeframes are Vencer Group estimates based on observations across recent client engagements, framed as estimates where used.
Pattern recognition from 19 years of running operator IT - not prescription for your specific situation. Anyone offering prescription from a blog post is selling something. (Possibly to you.) The 30-min Strategy Review is where the pattern becomes specific to your operation. Free, no proposal, no slide deck.
→ Book the 30-min review