Phase 0 · Your First GRC Exercises · Lesson 1 of 2
Translate the Audit Finding
Exercise
·
30 min
·
+15 pts
Translate the Audit Finding
The single most important skill a GRC engineer has: taking a compliance finding written in framework language and turning it into a concrete technical remediation plan that an engineering team can actually execute.
Writing your first remediation plan
Below is a real-world-style SOC 2 Type II finding. Your job is to write the remediation plan in YAML. Fill in every field — replace all the placeholder comments with your actual analysis.
What makes a good remediation plan?
A strong plan answers four questions: (1) What is the actual technical gap? (2) What specific changes fix it? (3) What evidence proves it's fixed? (4) What's the timeline? Auditors want to see concrete actions, not vague commitments like "improve security posture."
Exercise
~30 min
Translate this audit finding into a technical remediation plan
SOC 2 Type II Finding
Insufficient logical access controls for privileged accounts
ID:
CC6.1-2026-001
Criterion:
CC6.1 — Logical and Physical Access Controls
Severity:
Moderate
During the examination period, we observed that multi-factor authentication (MFA) was not consistently enforced for accounts with privileged access to production infrastructure. Of 23 accounts with administrative access to the cloud environment, 7 (30%) had MFA disabled or configured with SMS-only verification. Additionally, 3 service accounts with broad IAM permissions lacked any compensating controls such as IP restriction or session duration limits.
Auditor Notes
Management represented that MFA was required by policy (IS-004 rev 3). The gap appears to be an enforcement issue rather than a policy gap. Service accounts were provisioned during a cloud migration in Q2 and were not reviewed post-migration. No evidence of unauthorized access was identified during the examination period.
Write your remediation plan in YAML below. Fill in every field — replace all placeholder comments.