Skip to content
AuditFront
CC4.2 SOC 2

SOC 2 CC4.2: COSO Principle 17: Evaluates and Communicates Deficiencies

What This Control Requires

The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Identified deficiencies are assessed, reported, and corrected on a timely basis.

In Plain Language

Finding control problems is only half the job. What really matters is how quickly you get those problems to the right people and how effectively you drive them to resolution. Auditors pay close attention to organisations that find issues but let them sit in a backlog indefinitely - that pattern tells them the control environment isn't being taken seriously. You need a structured process for evaluating deficiency severity, communicating issues to the appropriate level of management, tracking remediation, and verifying that fixes actually work. There must be clear accountability - someone owns each deficiency, and there are real deadlines for resolution. Auditors will check that you have a deficiency management process, that issues reach the right stakeholders in a timely manner, that corrective actions are tracked to completion, and that there's follow-up to confirm the fix is effective. A long list of unresolved deficiencies is one of the most common audit concerns.

How to Implement

Set up a formal deficiency management process. Define severity classification criteria (critical, high, medium, low), remediation timelines for each level, escalation paths for overdue items, and requirements for verifying that fixes actually work. Put a deficiency tracking system in place. A GRC platform, ticketing system, or even a well-maintained spreadsheet will work, but it must give you visibility into all open deficiencies, their status, assigned owners, and target dates. This system is the single source of truth regardless of where the deficiency originated. Define who gets told about what. Critical and high-severity deficiencies should reach senior management and the board (or audit committee) within days. Medium and low items go into periodic reports - monthly or quarterly. Use a standard reporting format that conveys the nature of the issue, its risk impact, and remediation progress. Assign a clear owner for every deficiency. The owner should be someone with the authority and ability to fix the problem, not just the person who spotted it. Build accountability for meeting deadlines and include deficiency status in regular management reviews. Verify before closing. After corrective action is taken, an independent party should confirm the fix is effective and that the root cause has been addressed. Premature closure is a common trap that auditors will catch on the next cycle. Periodically review the deficiency management process itself. Analyse trends in deficiency types, sources, and resolution times. Use that analysis to identify systemic weaknesses and improve how you handle issues over time.

Evidence Your Auditor Will Request

  • Documented deficiency management process with classification criteria and remediation timelines
  • Deficiency tracking records showing all identified issues, owners, status, and target dates
  • Management reports on deficiency status including escalation of critical/high issues
  • Verification records confirming that remediated deficiencies have been retested and validated
  • Trend analysis of deficiency patterns used to identify systemic control weaknesses

Common Mistakes

  • Deficiencies are identified but not tracked in a centralized system, leading to lost or forgotten issues
  • No defined timelines for remediation, allowing deficiencies to remain open indefinitely
  • Critical deficiencies are not escalated to senior management or the board in a timely manner
  • Deficiencies are closed without verification that corrective actions are actually effective
  • Deficiency management is reactive with no trend analysis or root cause investigation

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.36 Related
ISO 27001 A.8.8 Partial overlap
nist-csf ID.IM-03 Related

Frequently Asked Questions

What is the difference between a deficiency and a finding?
A deficiency is something you identify internally - a control weakness you've spotted through your own monitoring. A finding is what the auditor documents when they observe a deficiency during the audit. Ideally, you want to catch and fix deficiencies yourself before they become audit findings. Both should flow through the same management process.
How quickly should critical deficiencies be remediated?
For critical issues posing an imminent threat, put interim mitigations in place within 24 to 48 hours and aim for a permanent fix within 30 days. High-severity items should be resolved within 60 days, medium within 90 days, and low within 180 days. These are reasonable guidelines, but define timelines that match your own risk tolerance and document the rationale.
Should we report all deficiencies to the board?
No - the board needs oversight, not operational noise. Report critical and high-severity deficiencies to the board or audit committee promptly. Provide a quarterly summary covering all deficiencies, trends, and remediation progress. Give them enough to exercise proper oversight without drowning them in detail.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment