SOC 2 Communicating Control Deficiencies (Principle 17) (CC4.2)

Overview:
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Action Items:
1) Inquire of the senior manager of compliance, or equivalent, regarding security assessments to determine that assessments are conducted internally and by an accredited independent third-party assessor on an annual basis, and the results of the audits are reviewed by management and the board of directors annually.
2) Inspect the most recent board of directors' updates to determine that management provides internal control performance metrics to the board of directors on an annual basis, and that these metrics are formally documented in an internal control performance dashboard for board review.
3) Inspect the most recent board of directors’ presentation to determine that assessments are conducted internally and by an accredited independent third-party assessor on an annual basis, and the results of the audits are reviewed by management and the board of directors annually.

Related Documents:
1) Documented internal service level / security assessments
2) Sample report of internal control performance metrics
3) Most recent board of directors presentation regarding information security

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Assesses Results—Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.
2) Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.
3) Monitors Corrective Action—Management tracks whether deficiencies are remedied on a timely basis.