If your organization has gone through an audit against a compliance framework, whether it be SOC 1, SOC 2, HITRUST, FedRAMP, or HIPAA, you might shudder at the thought of the words “findings,” “gaps,” and “deficiencies.” However, even an audit with a favorable outcome (e.g. unqualified opinion, certification, authorization) could come with findings and recommendations from the auditors, not to mention situations when audit deficiencies and gaps have been identified.
However, I would suggest you spin findings, gaps, and deficiencies as constructive feedback and an opportunity for your organization to mature. A qualified and experienced auditor should bring process improvement insight as part of the audit process. A corrective action plan can help you maximize the benefit of feedback received from an audit.
What is a Corrective Action Plan (CAP)?
To define it broadly, a corrective action plan, or CAP, is a set of actions designed to correct an issue, problem, non-compliance, or underperformance. In direct relation to compliance, CAP is a series of proposed actions to implement or address reported recommendations and audit comments. However, you can deploy a CAP anytime you identify an issue in your organization that you desire to change.
What is the Purpose of a Corrective Action Plan?
In the context of a compliance audit, a corrective action plan is usually developed to address audit findings and provide a roadmap to the desired future state. It can also be implemented to streamline workflow, improve processes or methods, and increase effectiveness and efficiency. For example, during the course of the SOC audit, management might discover that while user system access authorization occurs consistently, the authorization is documented in multiple places and in an unstructured format (e.g. instant messages or emails).
This makes it a nightmare when it comes time to collect audit evidence. That challenge in itself might not result in an audit finding, but it might cause an excessive amount of time spent in evidence gathering each year. That is time spent away from revenue-generating activities, and justifies the need for process improvement.
What Are the Steps to the Corrective Action Process?
The National Institute of Standards and Technology (NIST) provides a logical methodology to identify and implement a corrective action plan. According to NIST special publication 800-100: Information Security Handbook, A Guide for Managers, the process involves the steps outlined below.
Collect Data and Analyze Results
In the context of compliance audits, this should be a collaboration with your auditors. At the conclusion of each audit, your auditor should hold a closing meeting with you to present you with findings and recommendations (if any) and collect your feedback on potential improvements for the next audit. This also serves as a great opportunity for you to ask for their observation on how your organization measures up to other organizations of similar size in the same industry.
Once the information is collected, it’s necessary to perform a root cause analysis before jumping into developing CAP. After all, you can fix something if you don’t know what caused it. Common causation factors that contribute to poor security control implementation and effectiveness include resources (human, monetary, time), training, policies and procedures, and awareness and commitment.
Identify Corrective Actions
This phase involves developing a plan that will provide a roadmap to reach your desired future state. This includes determining the range of corrective actions based on the causation factors, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. There might be several corrective actions that could achieve the same goal but some may be inappropriate if they are inconsistent with the magnitude of the problem or too costly.
For example, one of the gaps identified from SOC 2 readiness might be to track the movement of removable media. The principle behind this requirement is to prevent data loss. There are many ways to help mitigate the risk. An entity could opt to implement a data loss prevention (DLP) platform or prohibits the use of removable media and data exfiltration in general by the policy. The entity should make the decision based on the budget, the type of data they possess and process, laws and regulations, and technology compatibility.
Develop Business Case and Obtain Resources
This phase is a continuation of the previous in that the sound factors that played into the decision of corrective action plan should help plead the case with management and/or the board of directors for adequate resources to implement the plan.
Apply Corrective Actions
This “final” phase involves implementing corrective actions as determined through data analysis and as defined in an applicable business case as described above. Per the NIST guide referenced above, “After corrective actions are applied, the cycle completes itself and restarts with subsequent data collection and analysis”. The key here is that the process should be iterative in nature to ensure the progress is monitored and the corrective actions are implemented and yield results as planned.
Also, as an entity’s internal controls and processes evolve, so should its policies and procedures. In general, most compliance frameworks require the policies and procedures to be reviewed and updated at least annually. However, the policies and procedures should be re-examined at the time of CAP implementation.
How Do You Write a Corrective Action Plan?
Most compliance frameworks require the development of a corrective action plan post-assessment: Plan of Actions and Milestones (POA&M) for FedRAMP, Corrective Action Plan (CAP) for HITRUST, and management response for SOC 1 and SOC 2. While management response for SOC 1 and SOC 2 is more free form and does not require a specific format, templates are available and required for FedRAMP POA&M and HITRUST CAP and they serve as excellent examples for a proper corrective action plan. Common elements between the two include:
- Point of Contact: the person/role that is held responsible for resolving the weakness.
- Resource Requirements: resources required for resolving the weakness and when applicable, provide an estimated staff time in hours.
- Planned Milestones: specific actions to correct the weakness with an associated completion date for each milestone.
- Scheduled Completion Date: the target completion date for the CAP as a whole.
- Status Date: the latest date an action was taken to remediate the weakness or some change was made to the CAP.
Having full awareness of how the entity could improve and streamline its internal controls and processes is key to the success of its compliance audits, and potentially financial bottom lines. Corrective action plans can help entities to stay on track with their process improvement, gap remediation, and risk mitigation initiatives. In this article, we discussed a high-level methodology that an entity can take to develop and apply such corrective action plans.
Jenny has been in risk advisory and compliance since 2008. She spent 7 years at Ernst & Young where she was responsible for both audit and advisory engagements across financial services, energy, technology, and healthcare sectors. Since 2015, she has been focusing on serving SaaS-based companies, assessing their control environments as part of SOC reporting, HIPAA compliance, and HITRUST certification initiatives. She is a certified information systems auditor (CISA), HITRUST assessor (CCSFP), information systems security professional (CISSP), and AWS cloud practitioner. Jenny received her Bachelor of Science and Master’s degrees in Information Systems Management from Brigham Young University.