AccountMade

Traceable-Answer Reference  /  Audit & Assurance

A&A-06Remediation

Maintain a risk-based corrective action plan to remediate audit findings and report remediation status to stakeholders.

Every framework that asks this

Answer A&A-06 once and it typically satisfies the equivalent control elsewhere. Altitude and confidence vary — a domain-level anchor is a starting point to verify, not an audited equivalence.

FrameworkEquivalent control(s)Confidence
SOC 2CC1.1, CC1.5, CC3.1, CC3.2, CC4.2, CC7.3, A1.2high
ISO 27001A.5.36medium
NIST CSF 2.0GV.OV-01, GV.OV-03, ID.IM-02 (domain-level)high
NIST 800-53CA-2, CA-7, AU-6, PM-14 (domain-level)high
SIGCompliance Management, Information Assurance (domain-level)medium

Full provenance and NIST 800-53 mappings: the framework crosswalk.

What the reviewer is really checking

The reviewer is not asking whether you have controls. They are asking whether someone independent has verified those controls operate over time, and whether the gaps that verification surfaced were closed. The sub-questions behind 'Do you undergo independent audits?' are: Who is the auditor, and are they qualified and independent of your team? What framework and Trust Services Criteria or Annex A controls were in scope, and what was explicitly carved out? Was it a point-in-time design review (SOC 2 Type I / readiness) or an operating-effectiveness test over a period (SOC 2 Type II, typically 6-12 months)? When did the period end, and is the report current or stale? Were there exceptions or qualified opinions, and what is the status of each remediation? A reviewer distinguishing an independent audit from an internal one is testing whether an external, accountable party put their name on the result. Internal audit is a legitimate control, but it is self-attestation and does not substitute for third-party assurance. The reviewer also wants to know your bridge-letter posture: what covers the gap between the last report's period end and today.

What a truthful, defensible answer contains

A defensible answer names the specific assurance you actually hold, not the category. State the report type and standard (for example SOC 2 Type II against the AICPA Trust Services Criteria, or ISO/IEC 27001:2022 certification), the CPA firm or accredited certification body that issued it, the scope boundary (which systems, services, and criteria were included and which were carved out), and the exact examination period or certificate validity dates. Say whether the opinion was unqualified and disclose the number and nature of exceptions, plus where each stands on the path to closure. If you rely on subservice organizations, state whether the report is inclusive or carve-out and which complementary user-entity and subservice controls apply. Describe cadence: audits recur annually, penetration tests on a stated frequency, and how findings flow into a tracked remediation register with owners and due dates. The level of detail that survives review is the detail a reader could independently confirm against the report cover page and the auditor's opinion section. If you only have a Type I or a readiness assessment, say so plainly rather than implying operating-effectiveness coverage.

Make it traceable

Point the answer at the artifact, not at your word. Reference the SOC 2 report by its examination period and the section of the auditor's opinion, or the ISO 27001 certificate by its number and issuing body, and make both available under NDA through a trust portal or data room. For each exception, cite the specific management-response row and the remediation ticket. A bridge letter should name the covered gap dates. The Promise-to-Proof move here is that the answer resolves to a page a reviewer can open: 'SOC 2 Type II, period ending [date], unqualified, two exceptions both remediated, evidence in report section IV and tickets X and Y,' where every noun maps to a downloadable document rather than a claim the reviewer must trust.

Answer patterns that hold up

  • Name the assurance held, the issuing auditor, the in-scope systems and criteria, and the examination period or certificate validity dates.
  • State the report type (design-only vs operating-effectiveness) and do not let a readiness or Type I answer imply Type II coverage.
  • Disclose the opinion and every exception, then give the closure status and evidence location for each.
  • Describe recurrence: audit cadence, test frequency, and how findings route into a tracked remediation register with owners and dates.
  • For third-party dependencies, state carve-out vs inclusive scope and the complementary user-entity controls that remain yours.

Evidence that backs the answer

SOC 2 Type II report, auditor opinion section and exceptions tableISO/IEC 27001 certificate with certificate number and issuing bodyBridge letter covering the gap since the last examination periodRemediation register or ticket export showing finding-to-closurePenetration test report with retest confirmationStatement of Applicability referencing in-scope Annex A controls

Red flags reviewers catch

  • "We conduct regular internal audits" offered in place of any independent attestation.
  • Claiming SOC 2 without saying Type I or Type II, or without a period end date.
  • "No findings" with no report available to confirm the opinion was unqualified.
  • A certificate referenced but never made available even under NDA.
  • Citing a report whose period ended over a year ago with no bridge letter.

Other Audit & Assurance controls

FAQ

What is a buyer really asking with A&A-06?

The reviewer is not asking whether you have controls. They are asking whether someone independent has verified those controls operate over time, and whether the gaps that verification surfaced were closed. The sub-questions behind 'Do you undergo independent audits?' are: Who is the auditor, and are they qualified and independent of your team? What framework and Trust Services Criteria or Annex A controls were in scope, and what was explicitly carved out? Was it a point-in-time design review (SOC 2 Type I / readiness) or an operating-effectiveness test over a period (SOC 2 Type II, typically 6-12 months)? When did the period end, and is the report current or stale? Were there exceptions or qualified opinions, and what is the status of each remediation? A reviewer distinguishing an independent audit from an internal one is testing whether an external, accountable party put their name on the result. Internal audit is a legitimate control, but it is self-attestation and does not substitute for third-party assurance. The reviewer also wants to know your bridge-letter posture: what covers the gap between the last report's period end and today.

What does a defensible answer to A&A-06 need?

A defensible answer names the specific assurance you actually hold, not the category. State the report type and standard (for example SOC 2 Type II against the AICPA Trust Services Criteria, or ISO/IEC 27001:2022 certification), the CPA firm or accredited certification body that issued it, the scope boundary (which systems, services, and criteria were included and which were carved out), and the exact examination period or certificate validity dates. Say whether the opinion was unqualified and disclose the number and nature of exceptions, plus where each stands on the path to closure. If you rely on subservice organizations, state whether the report is inclusive or carve-out and which complementary user-entity and subservice controls apply. Describe cadence: audits recur annually, penetration tests on a stated frequency, and how findings flow into a tracked remediation register with owners and due dates. The level of detail that survives review is the detail a reader could independently confirm against the report cover page and the auditor's opinion section. If you only have a Type I or a readiness assessment, say so plainly rather than implying operating-effectiveness coverage.

Which other frameworks does A&A-06 cover?

Answering A&A-06 typically covers SOC 2 (CC1.1, CC1.5, CC3.1, CC3.2, CC4.2, CC7.3, A1.2); ISO 27001 (A.5.36); NIST CSF 2.0 (GV.OV-01, GV.OV-03, ID.IM-02); NIST 800-53 (CA-2, CA-7, AU-6, PM-14); SIG (Compliance Management, Information Assurance). Confidence and altitude vary per mapping — see the equivalents table.

Answer every buyer from one governed source.