Flow

SOC2-CC4-INTERNAL-AUDIT

Internal Audit Program

detectivehigh effectivenessAnnually

What this control does

Scheduled internal reviews or third-party assessments to evaluate the design and operating effectiveness of controls.

Implementation guidance

Plan at least one internal audit or readiness assessment per year covering your SOC 2 control environment. Document findings, assign owners, and track remediation. For pre-audit orgs, a readiness assessment with a qualified firm qualifies.

Requirements satisfied

CC4.1

Why it matters

Without an internal audit program, control gaps and design weaknesses go undetected until an external auditor finds them—often too late to remediate before attestation. Internal audits enable proactive identification of operating failures (e.g., a control documented but not actually performed) that could invalidate your SOC 2 opinion and create compliance risk.

Evidence to collect

  • Internal audit plan or schedule for the reporting period (showing scope, audit team, and scheduled dates)
  • Completed internal audit report or readiness assessment report with identified findings and severity ratings
  • Remediation tracking log showing owner assignment, due dates, and evidence of closure for each finding
  • Audit scope matrix or control checklist confirming which CC and other controls were tested and the testing methods used

Testing procedure

Obtain the internal audit plan and verify at least one audit or readiness assessment was performed within the 12-month period. Review the audit report to confirm it includes control design evaluation and testing of operating effectiveness (not just documentation review). Trace 3–5 findings to the remediation log and validate that owners were assigned and actions were completed or in progress with documented timelines.

Common gotchas

Organizations often confuse a documentation inventory or compliance checklist with an actual internal audit—self-assessment alone does not satisfy CC4.1 without independent evaluation or third-party involvement. Another common failure is scheduling an audit but deferring remediation tracking indefinitely; findings without closure evidence suggest the audit is performative rather than driving real control improvement.