All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base
Company Security and customers first
About News Partners Careers Contact
Hicomply I
Hicomply app
Solutions Get a demo

CC4.1

SOC 2 CC4.1 requires that your organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

CC4.1 highlights the following points of focus:

Considers a Mix of Ongoing and Individual Evaluations

Your organisation’s management should include a balance of continuing and separate evaluations.

Considers Rate of Change

The management team should consider the rate of change in business and business procedures when selecting and developing ongoing and individual evaluations.

Determines Baseline Understanding

The design and current state of an internal control system should be used to set up a baseline for ongoing and individual evaluations.

Uses Knowledgeable Personnel

Management should ensure that evaluators performing ongoing and individual evaluations have sufficient knowledge to understand what is being evaluated.

Integrates With Business Processes

Ongoing evaluations should be built into the business procedures and should be adjusted to changing conditions.

Adjusts Scope and Frequency

The management team should vary the scope and frequency of separate evaluations depending on risk.

Objectively Evaluates

Separate evaluations should be performed periodically to provide objective feedback.

Additional point of focus specifically related to all engagements using the trust services criteria:

Considers Different Types of Ongoing and Separate Evaluations

The management team should use a range of different types of ongoing and separate evaluations. This includes penetration testing, independent certification made against recognised specifications (e.g. ISO certifications), and internal audit assessments.

CC4.2

SOC 2 CC4.2 requires that your organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

CC4.2 highlights the following points of focus:

Assesses Results

Management and the board of directors, as appropriate, should assess results of ongoing and separate evaluations.

Communicates Deficiencies

Any identified deficiencies should be properly communicated to parties responsible for taking corrective action and to senior management and the board of directors as appropriate.

Monitors Corrective Action

The management team should track whether deficiencies are remedied on a timely basis.