Drata
      Back to home
      1. AssuranceLab - Knowledgebase
      2. Drata

      Conduct Control Self-Assessments

      Example Audit Evidence –Control Framework Review

       Scope and Purpose

      The control framework sets out the internal control activities that manage the identified risks and support compliance with SOC 2 and customer requirements.

       

      Governance of control activities

      The control activities have been identified, documented and assigned to control owners. These owners are responsible for ensuring these controls are accurate, applied effectively and consistently in practice, and revised and updated when needed. The control framework is formally reviewed on at least an annual basis in order to demonstrate appropriate governance and compliance.

       

      Control activities

      The Control Framework includes those within the scope of AssuranceLab’s AuditPro, which relate to information security and operational resilience to support availability. These have been assessed as relevant to leading standards like SOC 1, SOC 2 and ISO 27001.

       

      Annual Control Self-Assessments

      The annual review includes a sign-off/confirmation from the control owners that their assigned controls are;

      1. Accurately described (no changes);
      2. Meeting their intended purpose; and
      3. Operating consistently with evidence recorded.

      This review is then confirmed by the Risk Manager with independent oversight and validation of the assessment process and controls directly by applying a risk-based review approach.

       

      Control Area

      Owner

      Date of confirmation

      Controls modified

      Control environment

      CEO

      15/02/2021

      None

      Customer services

      VP Customer Success

      15/02/2021

      INT01, CCM04

      Risk management

      CEO

      15/02/2021

      None

      Vendor management

      Head of Security

      15/02/2021

      None

      System security

      Head of Security

      15/02/2021

      EXT01

      Physical security

      Head of Security

      15/02/2021

      None

      Operations

      COO

      15/02/2021

      None

      Change management

      CPO

      15/02/2021

      None

       

      Review Confirmed By: John Jacobs, Risk Manager

      Date of Finalisation: 25/3/2021

      Identified Actions:

      • Strengthen the Acceptable Use Policy with BYOD requirements
      • Re-iterate the importance of capturing approval records for change releases
      • Adjust system change testing to an automated control relying on the CI/CD pipeline of automated test cases, once fully implemented by 30/04/2021
      Actions have been added to the agenda for the next review.