What is the Deficiency Monitoring control?
During the course of an audit or independent control assessment, the auditor/assessor may find an issue or breakdown in a control. In addition, it is possible that a defined control didn’t happen, happened late, or was only partially performed. Or maybe there are no controls yet defined to meet a specific requirement. All of these scenarios result in a ‘control deficiency’.
Deficiency - When a control is not designed or operating correctly; a control failure found by any internal or external party.
Separate evaluation - The assessment of control(s) by any party other than the control owner or performer, such as an internal auditor, external auditor, or Assessor.
Strike Graph's default control language is: "Control deficiencies and results of separate evaluations are communicated to, and monitored by the head of IT and other senior management, as appropriate. Security and IT operational issues are tracked and monitored."
This language should be customized to reflect the specific process that your organization has defined. For example, if your control deficiencies are monitored by another position or team, then you should update the control language to reflect that. It's important that your stated control description accurately reflects how your organization implements this control.
Which framework is this for?
SOC 2, NIST 800-171r2
Why is this control important?
The appropriate level of management should be made aware of any control deficiencies and then the deficiency should be addressed. Strike Graph suggests that every IT security or IT operations deficiency be communicated to the Head of IT (this could be a CISO, CTO, or another individual). Each deficiency should be logged and then monitored until it is fixed. The easiest way to do this is to open a ticket or create a spreadsheet to log the item, then start addressing the finding. When the issue has been resolved, the ticket can be closed.
Who's involved with this control?
Typical control owner: CTO
Typical parties involved: Auditors, control performers, department managers
How do I perform this control?
If you have never been audited before, then this control can be used to address control gaps (where you don’t have a control to meet a specific criteria), or where there are known issues in how the team is carrying out a control. For example, if a control states that user access reviews are to occur quarterly, and one quarter was missed or the review was not performed timely, then that is also a control deficiency that should be reported, addressed, and monitored.
What does the evidence look like?
Gap Assessment results and how gaps are addressed- via emails, a ticket, introduction of a new control (and showing that it is working)
Ticket showing one gap or control deficiency and how it was addressed
Report to Management showing control deficiencies with their status. This report could show who has been assigned to address it, whether the deficiency will be addressed or accepted, the timeline for closing the deficiency, the number of deficiencies vs number in process vs number closed over a period of time.
For SOC 2 audits, you can also simply upload a screenshot or export of your Strike Graph control library, as Strike Graph is essentially the tool your business is using to monitor deficiencies.