Back to Blog
Controls 6 min read

CC4: Monitoring Activities in SOC 2 Audits

SOC 2 CC4 monitoring requires ongoing and separate evaluations of internal controls. Learn what auditors check and how to demonstrate continuous monitoring.

Key Takeaways
  • CC4 requires both ongoing monitoring (continuous) and separate evaluations (periodic audits/reviews).
  • Automated monitoring via SIEM, CloudTrail, or security dashboards satisfies the ongoing evaluation requirement.
  • Access reviews, vulnerability scans, and penetration tests are separate evaluations.
  • Deficiencies found during monitoring must be reported to responsible parties — this is the CC4.2 requirement.
  • Evidence of deficiency remediation tracking demonstrates a mature monitoring program.

In this guide

  1. What Is CC4?
  2. CC4.1: Ongoing Monitoring Activities
  3. CC4.2: Separate Evaluations
  4. Deficiency Reporting and Remediation
  5. Tools That Satisfy CC4
  6. CC4 Evidence Examples

What Is CC4?

CC4 is the Monitoring Activities component of COSO as applied to SOC 2. It has two sub-criteria: CC4.1 (the entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning) and CC4.2 (the entity evaluates and communicates internal control deficiencies in a timely manner).

The fundamental question is: how does your organization know that its controls are working? A control that was designed correctly but has degraded in operation — for example, a monitoring alert that was silenced months ago — is a CC4 finding, not just a CC7 finding.

CC4.1: Ongoing Monitoring Activities

Ongoing monitoring is continuous or near-continuous evaluation built into normal operations. For a SaaS company, this typically means: security dashboards that flag anomalies in real time, automated compliance checks (AWS Config rules, Snyk scans), and SIEM alerting for suspicious events.

AWS Config with managed rules like "s3-bucket-public-read-prohibited" and "iam-root-access-key-check" provides automated ongoing monitoring of infrastructure controls. Results are logged, and violations trigger alerts — this is exactly what CC4.1 is looking for.

Operational metrics also count: uptime monitoring (UptimeRobot, Datadog), error rate dashboards, and backup job completion monitoring all demonstrate that the organization is continuously evaluating whether the system is operating as intended.

CC4.2: Separate Evaluations

Separate evaluations are periodic, point-in-time assessments conducted independent of day-to-day operations. Examples include: quarterly user access reviews, annual penetration tests, vulnerability scans (monthly or more frequent), internal control self-assessments, and the SOC 2 audit itself.

Separate evaluations are typically performed by a different party than the one responsible for operating the control — an internal audit function, a third-party pen tester, or the compliance team reviewing access logs that engineering produced.

For CC4.2, auditors check not just that these evaluations occurred, but that deficiencies found were communicated to the appropriate parties and that remediation was tracked. A penetration test report with 5 high findings that were never addressed is a CC4.2 finding.

Deficiency Reporting and Remediation

CC4.2 requires that control deficiencies be evaluated and communicated "to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate." This means there must be a documented escalation process for control failures.

In practice: security alerts must route to someone who acts on them. Vulnerability scan findings must be assigned to a ticket owner with a due date. Pen test results must be reviewed by leadership, not just the security team. Evidence of this process includes Jira tickets linked to vulnerability findings, board meeting minutes referencing security deficiencies, and remediation completion records.

Tools That Satisfy CC4

Ongoing monitoring tools: AWS Security Hub (aggregates GuardDuty, Config, Inspector findings), Datadog security monitoring, Splunk SIEM, Sumo Logic, Wiz cloud security platform.

Separate evaluation tools: Qualys or Tenable for vulnerability scanning, Cobalt or Synack for penetration testing, AuditPath or Vanta for access reviews, Drata for control monitoring.

The key is that these tools produce timestamped records of what was monitored, what was found, and what action was taken. Screenshots of "all green" dashboards are less compelling than exported reports showing actual monitoring activity over time.

CC4 Evidence Examples

Auditors typically request: (1) SIEM or security monitoring tool reports showing alerts reviewed during the audit period. (2) AWS Config or equivalent compliance scan results. (3) Vulnerability scan reports with remediation tracking. (4) Penetration test report and remediation status. (5) Access review records showing quarterly or semi-annual reviews were completed. (6) Evidence that deficiencies were reported to management — meeting minutes, email summaries, or ticket escalations.

Frequently Asked Questions

Does automated monitoring fully satisfy CC4.1, or do we also need manual reviews?
Automated monitoring satisfies the "ongoing" component of CC4.1. But auditors expect to see evidence that humans are reviewing the outputs — that alerts are being actioned, that dashboards are being checked. A SIEM that runs automatically but whose alerts nobody reviews does not demonstrate an effective monitoring activity.
How often do we need to run vulnerability scans for CC4?
SOC 2 doesn't mandate a specific frequency, but the AICPA's supplemental guidance and most auditors expect at minimum quarterly vulnerability scans. Monthly is better. If you run a continuous scanning tool like AWS Inspector or Snyk, that satisfies both the frequency and ongoing monitoring requirements.
Does a SOC 2 audit itself count as a separate evaluation for CC4.2?
Yes. The SOC 2 audit is the most comprehensive separate evaluation. However, it only happens once per audit period, so auditors expect to see other periodic evaluations during the year as well — access reviews, vulnerability scans, and penetration tests at minimum.
What happens if monitoring finds a deficiency that we didn't fully remediate during the audit period?
Finding and tracking deficiencies — even if not fully remediated — demonstrates a functioning CC4.2 process. Auditors distinguish between deficiencies that are known, tracked, and being remediated versus deficiencies that were found and ignored. The former is mature; the latter is a finding.
Is a penetration test required for SOC 2?
Not explicitly required by the AICPA criteria, but virtually all SOC 2 auditors expect to see an annual penetration test as evidence of a separate evaluation under CC4.2 and CC7 threat detection. Most enterprise customers also require pen test evidence before signing. Budget for one annually.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

Controls

CC3: SOC 2 Risk Assessment Controls Explained

Controls

CC7: System Operations and Incident Detection in SOC 2

Controls

SOC 2 Security Monitoring: SIEM, Alerts, and Evidence