I was sitting across from a frustrated VP of Engineering at a fast-growing SaaS company in Austin back in 2021. He'd just failed his first SOC 2 audit, and the rejection letter sat between us like a bomb.
"I don't understand," he said, rubbing his temples. "We have all the tools. We spent $400,000 on security infrastructure. Our penetration tests came back clean. How did we fail on control activities?"
I pulled out the auditor's report and pointed to a single line: "Unable to verify consistent application of documented controls in day-to-day operations."
They had beautiful policies. Expensive tools. But nobody was actually doing the daily work that makes SOC 2 meaningful.
That conversation changed how I approach SOC 2 consulting. Because here's the truth bomb: SOC 2 doesn't fail in the boardroom during policy creation—it fails at 2 PM on a Tuesday when someone takes a shortcut because "we need to ship this feature NOW."
What Control Activities Actually Mean (And Why Most People Get It Wrong)
After shepherding 40+ companies through SOC 2 certification over the past decade, I've learned that control activities are the most misunderstood component of the Trust Services Criteria.
Let me break this down simply: Control activities are the actions your team performs every single day to make your security policies real. They're the difference between having a fire alarm installed and actually checking it monthly to ensure it works.
Here's what I tell every client: If your controls only exist in documentation, they don't exist at all.
The Five Control Activity Categories That Matter
SOC 2 organizes control activities into specific categories. Let me walk you through each one with real examples from companies I've worked with.
Control Activity Category | What It Means | Real-World Example |
|---|---|---|
Top-Level Reviews | Management oversight of performance | Weekly security metrics review by CISO with evidence of action items |
Physical Controls | Protecting physical assets and facilities | Badge reader logs showing access attempts, visitor sign-in sheets |
Segregation of Duties | Preventing single person control | Different people approve and deploy code changes |
Information Processing | Automated and manual controls in systems | Automated alerts for failed login attempts, manual review of access logs |
Performance Reviews | Evaluating employee activities | Quarterly access reviews, annual security training completion tracking |
Top-Level Reviews: Where Leadership Proves They Care
I worked with a healthcare tech startup in 2022 that had a brilliant CEO. Smart guy, visionary, but completely absent from security discussions. His CISO would send him weekly security reports. Know what happened to them? They went into a folder marked "Review Later" that never got reviewed.
Their audit failed. The auditor's note? "No evidence of management engagement with security program."
Six months later, same company, different approach. The CEO now:
Attended a 30-minute security briefing every Monday morning
Reviewed and signed off on the weekly security dashboard
Participated in quarterly risk assessment meetings
Asked questions and documented decisions in meeting minutes
They passed their next audit with flying colors.
"Control activities without management attention are like gym memberships—expensive commitments that make you feel good but produce no actual results."
What Top-Level Reviews Should Look Like
Here's the framework I've implemented across dozens of organizations:
Weekly Reviews (15-30 minutes):
Current security incidents and status
Key metrics: failed login attempts, vulnerability scan results, access request backlogs
Upcoming changes that could impact security
Resource allocation decisions
Monthly Reviews (60-90 minutes):
Trend analysis of security metrics
Vendor security assessment updates
Training completion rates
Budget vs. actual security spending
Risk register updates
Quarterly Reviews (2-3 hours):
Comprehensive risk assessment
Control effectiveness evaluation
Strategic security initiatives progress
Disaster recovery testing results
Third-party audit findings
The magic isn't in the meetings themselves—it's in the documented evidence that these reviews happened and drove decisions.
Here's a table showing the evidence auditors actually want to see:
Review Type | Required Evidence | Common Mistakes |
|---|---|---|
Weekly Security Briefing | Meeting minutes, attendance records, action items with owners | Generic templates, no actual decisions documented |
Monthly Metrics Review | Dashboard screenshots with dates, trend analysis notes, management signatures | Metrics without context or action items |
Quarterly Risk Assessment | Updated risk register, risk ratings with justification, mitigation decisions | Risk registers that never change quarter-to-quarter |
Annual Control Testing | Test results, findings documentation, remediation plans with timelines | Testing without follow-up on failures |
Physical Controls: Yes, They Still Matter in the Cloud Era
I can already hear you thinking: "We're a cloud-native SaaS company. We don't have physical controls!"
Wrong. Dead wrong. And I've seen three companies fail their SOC 2 audits because of this exact misconception.
Let me tell you about a fintech startup I worked with in 2020. Fully remote, everything in AWS, no data center. They assumed physical controls didn't apply to them.
Then the auditor asked: "Where do your employees work from? Do they access production systems from home offices? From coffee shops? How do you control physical access to devices that can access your production environment?"
Crickets.
Physical Controls in Modern Organizations
Here's what physical controls actually mean today:
Office Locations (If You Have Them):
Badge access systems with logs
Visitor management procedures
Secure areas for sensitive operations
Video surveillance in key areas
Equipment inventory and tracking
Remote Work Environments:
Company-issued laptop requirements
Encrypted hard drive mandates
Screen privacy filters for public spaces
Secure home office guidelines
Device loss/theft reporting procedures
Data Center and Colocation:
Vendor SOC 2 reports for physical security
Access logs from data center providers
Documented procedures for physical access requests
Equipment disposal and destruction procedures
I implemented a physical control program for a 100% remote company that included:
Control | Implementation | Evidence Collection |
|---|---|---|
Device Security | Company laptops only, encrypted drives, MDM software | MDM reports showing encryption status, device inventory |
Access to Devices | Multi-factor authentication required, biometric unlock preferred | Authentication logs, device configuration reports |
Working Location | VPN required for production access, public WiFi restrictions | VPN connection logs, security awareness training records |
Device Loss/Theft | 24-hour reporting requirement, remote wipe capability | Incident reports, remote wipe execution logs |
Visitor Access | No visitors allowed in home offices during work sessions | Policy acknowledgment, annual training completion |
They passed their audit. The auditor specifically commended their "comprehensive approach to physical security in a distributed environment."
Segregation of Duties: The Control That Prevents Insider Threats
This is where I see the most pushback, especially from startups. "We're only 12 people," they tell me. "How can we segregate duties when my lead engineer does everything?"
I get it. I really do. But here's a story that might change your mind.
In 2019, I consulted for a company that had suffered an insider breach. A developer with production access, database admin rights, and code deployment authority had exfiltrated customer data over six months. When they finally caught him, they realized he'd also deleted the audit logs of his own activities.
Damage: $3.2 million in direct costs, loss of two major clients, 18 months of reputation recovery.
The kicker? It would have been impossible if they'd properly segregated duties.
"Segregation of duties isn't about not trusting your team. It's about protecting them from the temptation of unsupervised power and protecting your organization from the 2% of people who will abuse that power."
Critical Segregation of Duties Controls
Here's the framework I implement even in small organizations:
Function | Person/Role A | Person/Role B | Why This Matters |
|---|---|---|---|
Code Deployment | Developer writes code | Different person approves and deploys | Prevents unauthorized code in production |
Access Provisioning | Manager requests access | Security/IT approves and implements | Prevents self-service privilege escalation |
Financial Systems | Person initiates payment | Different person approves payment | Prevents financial fraud |
Database Changes | DBA makes changes | Different person reviews and approves | Prevents unauthorized data modification |
Security Monitoring | System generates alerts | Different person reviews alerts | Prevents alert suppression |
User Deletion | Manager requests deletion | Different person executes deletion | Prevents unauthorized retention of access |
Small Team Solutions
"But we only have 8 people!" Yes, I hear you. Here's how I solve this:
Use automation for the second pair of eyes:
Automated code review tools that flag suspicious patterns
CI/CD pipelines that enforce approval workflows
Automated access reviews that require manager confirmation
Database audit logging that's sent to external systems
Implement peer review requirements:
All code must be reviewed by at least one other developer
All production changes must have a second person on the Zoom call
All access grants require a ticket and manager approval
Leverage third-party tools:
Use services like AWS CloudTrail that you can't modify
Implement SIEM solutions with immutable logs
Use privileged access management tools that record sessions
I worked with a 9-person startup that implemented this:
What They Needed to Separate | How They Did It With 9 People |
|---|---|
Code deployment | GitHub required 1 approval, only CTO could merge to main branch |
Production access | Temporary access via PIM tool, required CTO approval, auto-expired in 4 hours |
Customer data access | Database queries logged to external SIEM, reviewed weekly by CEO |
Access provisioning | All requests via ticketing system, required manager+1 approval |
Financial transactions | CEO initiated in bill.com, CFO approved, required both signatures |
Cost: $800/month in additional tools. Value: Passing SOC 2 and preventing potential insider threats.
Information Processing Controls: Where the Rubber Meets the Road
This is the big one. Information processing controls are the daily, ongoing activities that actually secure your data. And this is where most organizations have the biggest gap between policy and practice.
Let me share a painful example. In 2023, I was brought in to investigate why a company failed their SOC 2 surveillance audit after passing their initial certification.
The problem? Their policy said "all production changes must be documented and approved." Beautiful policy. But when the auditor sampled 25 production changes, 19 of them had no change ticket, no approval, and were pushed directly to production.
"We had a critical bug," they explained. "We needed to move fast."
The auditor's response? "Then your policy should say 'all production changes except when we don't feel like it.' Because that's what you're actually doing."
They lost their SOC 2 certification. Their biggest customer immediately triggered a contract review clause. It cost them $4.8 million in lost revenue.
The Information Processing Controls That Actually Matter
Based on 15+ years of experience, here are the controls that auditors scrutinize most heavily:
Change Management:
Control Activity | How It Works | Evidence Needed |
|---|---|---|
Change Request | All changes start with a documented request | Change tickets in Jira/ServiceNow with timestamps |
Impact Assessment | Changes are evaluated for security impact | Risk assessment notes in change ticket |
Approval Process | Changes approved by appropriate authority | Approval records with approver name and timestamp |
Testing | Changes tested in non-production environment | Test results, QA sign-off documentation |
Implementation | Changes deployed following documented procedure | Deployment logs, release notes, commit histories |
Rollback Plan | Documented plan to reverse change if needed | Rollback procedures, backup verification |
Post-Implementation Review | Verification that change worked as intended | Monitoring results, incident records (or lack thereof) |
Access Management:
I implemented this framework at a 200-person SaaS company:
Control Activity | Frequency | Owner | Documentation Required |
|---|---|---|---|
New User Provisioning | As needed | IT Security | Manager approval email, completed access form, training completion |
Access Review | Quarterly | Department Managers | Signed attestation of users who should have access |
Termination Process | Within 1 hour of notification | IT/HR | Termination checklist, account disable confirmation |
Privilege Escalation | As needed | CISO | Business justification, temporary vs permanent, approval |
Service Account Review | Monthly | Engineering Manager | List of accounts, purpose, owner, last use date |
Shared Account Elimination | Ongoing | Security Team | Inventory of shared accounts, migration plan, progress tracking |
Vulnerability Management:
This is where I see organizations struggle with consistency. They start strong then get sloppy over time.
Activity | What Success Looks Like | What Failure Looks Like |
|---|---|---|
Scanning | Weekly automated scans, documented in calendar invite | Ad-hoc scanning when someone remembers |
Triage | All critical/high vulnerabilities reviewed within 24 hours | Vulnerabilities sit in queue for weeks |
Remediation | Critical: 7 days, High: 30 days, Medium: 90 days | Everything is "in progress" indefinitely |
Exception Process | Business justification, compensating controls, time-bound | "We'll get to it eventually" |
Reporting | Monthly vulnerability metrics to management | Nobody knows current vulnerability status |
Verification | Re-scan after remediation to confirm fix | Assume fix worked without verification |
Backup and Recovery:
Here's a table showing the control activities I implement:
Control | Daily | Weekly | Monthly | Quarterly | Evidence |
|---|---|---|---|---|---|
Backup Execution | ✓ | - | - | - | Automated backup logs |
Backup Verification | ✓ | - | - | - | Automated verification reports |
Restore Testing | - | Sample files | - | Full restore test | Test results documentation |
Backup Monitoring | ✓ | - | - | - | Monitoring alerts, reviewed daily |
Offsite Storage | ✓ | - | - | - | Replication logs to secondary region |
Retention Compliance | - | - | ✓ | - | Retention policy compliance report |
Recovery Time Test | - | - | - | ✓ | DR test results, time to recovery |
Performance Reviews: Ensuring Humans Stay in the Loop
Technology is fantastic. Automation is critical. But humans are still the most important control in your security program.
I learned this lesson the hard way in 2020. A client had beautiful automated controls. Their systems were pristine. They failed their audit because nobody was reviewing the output of those automated systems.
They had:
Automated vulnerability scans (that nobody reviewed)
Automated access logs (that nobody analyzed)
Automated backup verification (that nobody checked)
Automated security alerts (that everyone ignored)
The auditor's comment? "These aren't controls. These are expensive noise generators."
The Performance Review Controls That Pass Audits
Daily Reviews:
What to Review | Who Reviews It | Time Required | Red Flags to Watch For |
|---|---|---|---|
Security Alerts | Security Team | 30-60 min | Spikes in failed logins, unusual access patterns, new threats |
Failed Logins | SOC/Security | 15 min | Brute force attempts, access from unusual locations |
System Health | DevOps | 30 min | Resource exhaustion, unusual traffic patterns |
Backup Status | Infrastructure | 15 min | Failed backups, size anomalies, timing issues |
Weekly Reviews:
Review Activity | Participants | Duration | Key Outputs |
|---|---|---|---|
Vulnerability Status | Security + Engineering | 45 min | Updated remediation timeline, resource allocation |
Access Changes | Security + Managers | 30 min | Validation of new access, termination confirmation |
Incident Summary | Security + Management | 30 min | Incident trends, root cause patterns, process improvements |
Change Success Rate | Engineering + QA | 30 min | Failed changes, rollback frequency, quality trends |
Monthly Reviews:
These are comprehensive deep dives. Here's the framework I use:
Review Type | Purpose | Evidence Created |
|---|---|---|
Access Recertification | Managers confirm their team members still need current access | Signed attestation, access changes made |
Control Effectiveness | Evaluate if controls are working as designed | Test results, metrics analysis, improvement plans |
Training Compliance | Verify all employees completed required training | Training completion reports, follow-up for delinquent staff |
Vendor Security Status | Review third-party security posture | Updated vendor risk register, new SOC 2 reports received |
Policy Review | Ensure policies reflect current practices | Updated policies, approval signatures, communication plan |
Quarterly Reviews:
This is where strategy meets execution:
Review Activity | What Gets Evaluated | Decision Points |
|---|---|---|
Risk Assessment Update | New risks, changed risk ratings, retired risks | Risk acceptance decisions, new control implementation |
Control Testing | Sample transactions testing control operation | Control deficiencies, remediation plans |
Incident Analysis | Trends across all incidents | Process changes, training needs, tool gaps |
Metrics Analysis | KPI trends, benchmark comparisons | Budget allocation, staffing decisions, tool optimization |
Third-Party Attestations | Review new SOC 2/ISO reports from vendors | Vendor continuation, new due diligence, contract updates |
The Control Activities That Kill Your Audit (And How to Fix Them)
After reviewing dozens of failed SOC 2 audits, I've identified the top control activity failures:
Failure #1: Inconsistent Application of Controls
The Problem: You have a control that says "all production changes require approval." Then someone deploys directly to production without approval because "it's urgent."
Real Example: A company I worked with had 47 emergency changes in a 6-month period. Every single one bypassed their change control process. They failed their audit.
The Fix:
Create an actual emergency change process with documentation requirements
Emergency changes must be reviewed within 24 hours
Pattern of excessive emergency changes triggers process review
Evidence Table:
Standard Change | Emergency Change |
|---|---|
Change request submitted 48 hours in advance | Change request submitted during or immediately after |
Full impact assessment required | Abbreviated impact assessment acceptable |
Approval required before implementation | Implementation allowed, approval required within 4 hours |
Testing in non-prod required | Production deployment acceptable, immediate monitoring required |
Standard release window | Any time |
Post-implementation review within 1 week | Post-implementation review within 24 hours |
Failure #2: Evidence That Doesn't Exist
The Problem: Your policy says you do something. You probably do it. But you can't prove it.
Real Example: A client performed security training for all new hires. They just didn't document who completed it or when. During the audit, they couldn't prove any training had occurred.
The Fix: If it's not documented, it didn't happen. Period.
Evidence Requirements:
Control Activity | Required Evidence | Storage Location | Retention Period |
|---|---|---|---|
Security Training | Completion certificates, attendance records, quiz scores | LMS system + backup | 3 years |
Access Reviews | Signed attestations, access change records | Ticketing system | 3 years |
Vulnerability Remediation | Scan results, remediation notes, verification scans | Vulnerability management tool | 2 years |
Change Approvals | Approval emails/tickets, approval timestamps | Change management system | 2 years |
Backup Testing | Test plans, test results, issues found and resolved | Document management system | 2 years |
Failure #3: Controls Performed by the Wrong People
The Problem: The person who makes changes is the same person who reviews them.
Real Example: A company's database administrator made changes to production databases and then marked his own changes as "reviewed and approved" in the change management system.
The Fix: Segregation of duties enforced through tooling:
Function | Performer | Reviewer | System Enforcement |
|---|---|---|---|
Code Deployment | Developer | Different developer + manager | GitHub requires 2 approvals, bot blocks self-approval |
Access Changes | IT/Security | Requesting manager + Security | Ticketing system requires two unique approvers |
Database Changes | DBA | Application owner + Security | Change ticket requires cross-functional approval |
Production Changes | Infrastructure engineer | Different engineer + manager | CI/CD pipeline enforces approval before deployment |
Building a Control Activities Program That Actually Works
After 15 years of implementing these programs, here's my battle-tested framework:
Phase 1: Document Current State (Week 1-2)
Don't start by writing policies. Start by documenting what actually happens.
Activities:
Shadow your team for a week
Document actual processes, not ideal processes
Identify where documented procedures and reality diverge
Map out who does what, when, and how
Deliverable: Current state process map showing actual control activities
Phase 2: Gap Analysis (Week 3-4)
Compare what you do to what SOC 2 requires.
SOC 2 Requirement | Current State | Gap | Risk Level |
|---|---|---|---|
Quarterly access reviews | Never done | Complete gap | High |
Change management process | Ad-hoc approvals | Inconsistent application | High |
Backup testing | Weekly automated, no manual test | Partial gap | Medium |
Vulnerability remediation | Scans run, no tracking | Process exists but not documented | Medium |
Phase 3: Design Realistic Controls (Week 5-8)
This is critical: Design controls your team will actually follow.
I worked with a company that created a change management process requiring 7 approvals and 48-hour lead time. Within a month, everyone was routing around it. They ended up with worse compliance than before.
Principles for Realistic Controls:
Minimize manual steps through automation
Make compliance the path of least resistance
Design for humans, not ideal robots
Build in appropriate emergency procedures
Match control rigor to actual risk
Phase 4: Implement and Train (Week 9-16)
Roll out controls with proper training and support.
Week | Activity | Focus |
|---|---|---|
9-10 | Tool setup | Configure systems to support controls |
11-12 | Initial training | All-hands training on new procedures |
13-14 | Pilot program | Run controls with single team |
15-16 | Full rollout | Expand to entire organization |
Phase 5: Monitor and Adjust (Ongoing)
This is where most programs fail—they don't adapt.
Monthly Activities:
Review control compliance metrics
Gather feedback from teams performing controls
Identify controls that aren't working
Adjust procedures based on reality
Quarterly Activities:
Comprehensive control effectiveness review
Update procedures based on lessons learned
Refresh training for struggling areas
Celebrate successes and share best practices
The Daily Control Activities Checklist
Here's a practical checklist I give every security team. Print this, laminate it, put it on the wall:
Daily Control Activities (30-60 minutes total)
Time | Activity | Owner | Tools |
|---|---|---|---|
9:00 AM | Review overnight security alerts | Security Analyst | SIEM dashboard |
9:15 AM | Check backup completion status | Infrastructure | Backup monitoring tool |
9:30 AM | Review failed authentication attempts | Security Analyst | Authentication logs |
9:45 AM | Verify certificate expiration warnings | DevOps | Certificate management tool |
10:00 AM | Check vulnerability scan results | Security Engineer | Vulnerability scanner |
2:00 PM | Review access change requests | Security Manager | Identity management system |
4:30 PM | End-of-day security status check | Security Team | Security dashboard |
Weekly Control Activities (3-4 hours total)
Day | Activity | Duration | Attendees |
|---|---|---|---|
Monday | Security metrics review | 30 min | Security team + Engineering leads |
Tuesday | Access recertification progress | 30 min | Security + HR |
Wednesday | Vulnerability remediation status | 45 min | Security + Engineering |
Thursday | Change management review | 30 min | Change advisory board |
Friday | Week-in-review and next week planning | 45 min | Security team |
Real-World Success: What Good Looks Like
Let me end with a success story that illustrates everything I've covered.
In 2022, I worked with a 85-person SaaS company going through their first SOC 2. They were terrified. Their engineering culture was "move fast and break things"—the opposite of compliance culture.
We implemented the control activities framework I've described here. Six months later:
Their Results:
Passed SOC 2 Type II on first attempt
Zero control deficiencies
Auditor specifically praised their "mature control environment"
Actually improved their development velocity by 15%
That last point surprised them. How did compliance make them faster?
Because good controls eliminate chaos. When everyone knows the process, follows the same procedures, and has clear approval paths, there's no confusion, no rework, no "wait, who was supposed to approve this?"
Their CTO told me: "I thought SOC 2 would slow us down. Instead, it made us professional. We ship faster now because we're not constantly firefighting our own mistakes."
"The best control activities don't feel like compliance overhead. They feel like the way professionals work."
Your Next Steps
Ready to build a control activities program that passes audits and actually improves your operations?
This Week:
Print the daily and weekly control activities checklists above
Shadow your team to document what actually happens today
Identify your top 3 control gaps
Schedule a meeting with your team to discuss findings
This Month:
Design realistic control activities for your top gaps
Select and implement tools to support your controls
Train your team on new procedures
Start documenting evidence
This Quarter:
Implement all critical control activities
Conduct monthly control effectiveness reviews
Build evidence collection into daily workflows
Prepare for your SOC 2 readiness assessment
Remember: Control activities aren't about creating bureaucracy. They're about building a system where security happens naturally, consistently, and provably—day after day, week after week, all year long.
Because when the auditor asks "How do you know your controls work?" the answer should never be "We think they do."
The answer should be "Let me show you the evidence from the last 365 days of daily operations."
That's how you pass SOC 2. That's how you build real security. That's how you protect your business and your customers.
Now go build something remarkable.