SOC 2 Controls CC4: Monitoring Activities
The fourth SOC-2 requirement in the CC-series is Monitoring Controls.
CC4.1
SOC 2 CC4.1 requires that your organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
CC4.1 highlights the following points of focus:
Considers a Mix of Ongoing and Individual Evaluations
Your organisation’s management should include a balance of continuing and separate evaluations.
Considers Rate of Change
The management team should consider the rate of change in business and business procedures when selecting and developing ongoing and individual evaluations.
Determines Baseline Understanding
The design and current state of an internal control system should be used to set up a baseline for ongoing and individual evaluations.
Uses Knowledgeable Personnel
Management should ensure that evaluators performing ongoing and individual evaluations have sufficient knowledge to understand what is being evaluated.
Integrates With Business Processes
Ongoing evaluations should be built into the business procedures and should be adjusted to changing conditions.
Adjusts Scope and Frequency
The management team should vary the scope and frequency of separate evaluations depending on risk.
Objectively Evaluates
Separate evaluations should be performed periodically to provide objective feedback.
Additional point of focus specifically related to all engagements using the trust services criteria:
Considers Different Types of Ongoing and Separate Evaluations
The management team should use a range of different types of ongoing and separate evaluations. This includes penetration testing, independent certification made against recognised specifications (e.g. ISO certifications), and internal audit assessments.
CC4.2
SOC 2 CC4.2 requires that your organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
CC4.2 highlights the following points of focus:
Assesses Results
Management and the board of directors, as appropriate, should assess results of ongoing and separate evaluations.
Communicates Deficiencies
Any identified deficiencies should be properly communicated to parties responsible for taking corrective action and to senior management and the board of directors as appropriate.
Monitors Corrective Action
The management team should track whether deficiencies are remedied on a timely basis.
Ready to Take Control of Your Privacy Compliance?
See how Hicomply can accelerate your path to CAF compliance in a 15-minute demo.