Skip to content
AuditFront
CC4.1 SOC 2

SOC 2 CC4.1: COSO Principle 16: Selects, Develops, and Performs Ongoing and/or Separate Evaluations

What This Control Requires

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. The entity uses a variety of ongoing and separate evaluations, including penetration testing, internal audits, and other assessment methods to monitor the effectiveness of internal controls.

In Plain Language

Having controls on paper means nothing if you're not regularly checking that they actually work. Auditors see this constantly - organisations design a solid control environment, then never verify that it's operating as intended. CC4.1 demands a systematic approach to testing and monitoring your controls throughout the year.

In practice, you need two types of evaluation. Ongoing monitoring covers automated alerts, continuous monitoring dashboards, and daily operational checks. Periodic separate evaluations include internal audits, penetration tests, vulnerability assessments, and targeted control testing. You need both - ongoing monitoring catches real-time issues, while periodic deep dives reveal problems that day-to-day monitoring misses.

Auditors evaluate whether you have a defined monitoring programme, how often controls are tested, what methods you use, and whether results are documented and acted upon. Relying solely on the annual SOC 2 audit for control evaluation is a significant weakness that assessors will flag.

How to Implement

Create a monitoring and evaluation plan covering all controls in your SOC 2 scope. Specify which controls get continuous monitoring, which get periodic testing, the tools and methods for each, testing frequency, and who is responsible for conducting and reviewing evaluations.

Set up continuous monitoring for your critical controls. Automated alerting for security events, real-time access control monitoring, continuous vulnerability scanning, configuration compliance checks, and availability monitoring should all be running. Use dashboards to give you ongoing visibility into control status.

Run penetration tests at least annually on external-facing systems. Use qualified independent testers following industry-standard methodologies. Document the scope, methodology, findings, and remediation actions. Retest after fixes are applied to confirm the issues are resolved.

Perform vulnerability assessments monthly or quarterly across all in-scope systems. Track identified vulnerabilities, prioritise remediation by risk level, and measure trends over time. Keep records of every assessment, finding, and remediation action.

Conduct internal control testing at least annually. Sample control activities across all control areas, verify they operate as designed, and identify gaps or weaknesses. Feed results into your improvement plan and track remediation.

Periodically evaluate the monitoring programme itself. Ask whether coverage is adequate, whether testing frequency matches the risk level, and whether your tools and methods are still effective given environmental changes.

Evidence Your Auditor Will Request

  • Monitoring and evaluation plan covering all in-scope controls with methods, frequency, and responsibilities
  • Continuous monitoring dashboards and automated alert configurations with evidence of regular review
  • Penetration testing reports (at least annual) including scope, findings, and remediation evidence
  • Vulnerability assessment reports with tracking of remediation progress and trend analysis
  • Internal audit or control testing reports with findings, recommendations, and management responses

Common Mistakes

  • Monitoring program relies entirely on the annual SOC 2 audit with no internal testing throughout the year
  • Penetration tests are conducted but findings are not remediated or retested in a timely manner
  • Continuous monitoring generates alerts but there is no process for reviewing and responding to them
  • Vulnerability assessments are performed inconsistently with no tracking of remediation or trends
  • Control testing is superficial and does not verify that controls are actually operating effectively

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.35 Related
ISO 27001 A.5.36 Related
ISO 27001 A.8.8 Partial overlap
nist-csf ID.IM-02 Equivalent

Frequently Asked Questions

How often should penetration tests be conducted?
At minimum, annually for external-facing systems. If you have significant internet exposure, aim for every six months. Also run targeted tests after major changes - new applications, infrastructure migrations, or significant code releases. Internal penetration testing should happen at least once a year as well.
Can we use automated scanning tools instead of manual penetration testing?
You need both - they serve different purposes. Automated scanning gives you broad, frequent coverage for known vulnerabilities. Manual penetration testing finds the things scanners miss: complex attack chains, business logic flaws, and subtle configuration issues. Neither is a substitute for the other.
Do we need a dedicated internal audit function?
Not necessarily for SOC 2. Smaller organisations can assign control testing to qualified individuals who are independent of the areas being tested. What matters is competence, objectivity, and independence. If you don't have the in-house expertise, bring in an external firm for periodic control assessments. The audit itself doesn't care about your org chart, just that the testing is credible.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment