When a SOC 2 report is issued, I have seen that in “Description of Tests of Controls and Results of Testing” section, if a control has an exception or a qualification, a management response is included. It explains how the exception or the qualification risk is being managed. Proponents of this approach say that it helps avoid questions from customers.
Talking from experience, these are the issues I see with this approach.
- First of all, 90% of the time, customers totally ignore the management response. They need further details via a meeting or email.
- If the management response is for an exception, the reason it is an exception is because the control is addressing most of risk as designed and operated. Hence, a management response within the report does not make sense. In most cases the management response has been put together rather hurriedly and most of the time without management’s blessing. While the audit is in progress, it is difficult for the control owners to work on the audit and offer guidance on how the risk is being managed and producing a so-called management response verbiage. Remember, although this is called a management response, because of tight timelines, management might not have really blessed it. Why, because everyone is busy collecting evidence for the audit and preparing the audit report trying to meet the deadline to issue the audit report on time.
- If the management response is for a qualification, then it is even more important to tread carefully before committing to a resolution, who knows what the actual implementation will look like.
My suggested approach is to issue the audit report without including management responses in “Description of Tests of Controls and Results of Testing” section.
Within thirty days of audit report issuance, the compliance should meet with the control owners ensure :
- Agreement on remediation approach.
- Identification of timelines.
- Management (VP’s, Directors, Managers) are on-board with remediation plan.
- Assignment of a Project Manager to track and report on the remediation progress regularly.
After all of the above activities are complete, the management response letter should be prepared. It should state the remediation plan and timelines. This letter is signed by the business owner of the audit, usually the VP.
Then, whenever a customer query comes in ,share the letter with them. This proves to the customer that your organization is serious about managing risks and are on top of addressing them.
Management letter is re-issued as remediation is completed or timelines change.
These actions ensure a successful compliance program, as all stakeholders are on-board.
Most of the times management is not aware of the remediation requirements, hence operational teams are not focused on remediation. As as a result remediation does not get implemented prior to the next audit cycle, resulting in a qualified audit report or repeating exceptions.