August 30, 2023

SOC 2 Controls CC4: Monitoring Activities

The fourth SOC-2 requirement in the CC-series is Monitoring Controls.

By
Full name
Share this post

CC4.1

SOC 2 CC4.1 requires that your organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

CC4.1 highlights the following points of focus:

Considers a Mix of Ongoing and Individual Evaluations

Your organisation’s management should include a balance of continuing and separate evaluations.

Considers Rate of Change

The management team should consider the rate of change in business and business procedures when selecting and developing ongoing and individual evaluations.

Determines Baseline Understanding

The design and current state of an internal control system should be used to set up a baseline for ongoing and individual evaluations.

Uses Knowledgeable Personnel

Management should ensure that evaluators performing ongoing and individual evaluations have sufficient knowledge to understand what is being evaluated.

Integrates With Business Processes

Ongoing evaluations should be built into the business procedures and should be adjusted to changing conditions.

Adjusts Scope and Frequency

The management team should vary the scope and frequency of separate evaluations depending on risk.

Objectively Evaluates

Separate evaluations should be performed periodically to provide objective feedback.

Additional point of focus specifically related to all engagements using the trust services criteria:

Considers Different Types of Ongoing and Separate Evaluations

The management team should use a range of different types of ongoing and separate evaluations. This includes penetration testing, independent certification made against recognised specifications (e.g. ISO certifications), and internal audit assessments.

CC4.2

SOC 2 CC4.2 requires that your organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

CC4.2 highlights the following points of focus:

Assesses Results

Management and the board of directors, as appropriate, should assess results of ongoing and separate evaluations.

Communicates Deficiencies

Any identified deficiencies should be properly communicated to parties responsible for taking corrective action and to senior management and the board of directors as appropriate.

Monitors Corrective Action

The management team should track whether deficiencies are remedied on a timely basis.

Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments

Ready to Take Control of Your Privacy Compliance?

Book a demo and experience the difference with Hicomply.

By providing your email, you agree that Hicomply may contact you for scheduling and marketing purposes, subject to Hicomply’s Privacy Policy. You can unsubscribe at any time.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments