Overview
A Management Review Meeting is a formal, periodic review by executive management to evaluate the effectiveness of controls, risk posture, and compliance status. This process supports SOC 2 CC4 by ensuring management actively monitors control performance and addresses identified issues.
Step-by-Step Process
Schedule review meeting
The CEO schedules a quarterly management review meeting with executive leadership and relevant control owners. The meeting invite must include the agenda, time, and virtual meeting link, and be scheduled at least two weeks in advance. The output is a calendar invitation sent to all required attendees.
Role: CEO
Compile compliance inputs
The Compliance Manager gathers required inputs such as risk assessments, control performance metrics, incident summaries, and prior action items. These materials are consolidated into a single review packet for management. The output is a dated management review packet document.
Role: Compliance Manager
Distribute agenda and materials
The Compliance Manager distributes the agenda and review packet to all attendees before the meeting. Distribution should occur at least three business days prior to the meeting. The output is an email or shared workspace record showing materials were shared in advance.
Role: Compliance Manager
Conduct management review
The CEO leads the meeting, reviewing control effectiveness, open risks, incidents, and remediation progress. Management discusses issues and determines whether changes or corrective actions are required. The output is real-time meeting notes capturing decisions and action items.
Role: CEO
Document decisions and action items
The Compliance Manager documents meeting minutes, including attendees, discussion points, decisions, and assigned action items with due dates. Minutes must be finalized within five business days of the meeting. The output is a dated and approved meeting minutes document.
Role: Compliance Manager
Track remediation actions
Assigned owners track progress on action items identified during the meeting. The Compliance Manager monitors completion status and updates leadership as needed. The output is an action item tracker showing status updates and completion dates.
Role: Compliance Manager
What You Need Before Starting
- Access to executive calendars and Google Meet
- Latest risk assessment and control performance reports
- Incident and exception logs for the quarter
- Prior management review meeting minutes and action item tracker
Evidence Your Auditor Expects
- Calendar invitation showing quarterly management review meeting date and attendee list
- Dated management review agenda and review packet shared before the meeting
- Google Meet meeting record or attendance screenshot with timestamp
- Final meeting minutes document with meeting date and CEO approval
- Action item tracker showing assigned owners and completion dates
How This Looks In Your Tools
Google Meet
From Google Calendar, click “Create” and select “Event,” then add the meeting title and required attendees. Click “Add Google Meet video conferencing” to generate the meeting link automatically.
After the meeting, open the calendar event, select “Edit,” and attach any meeting notes or link to minutes stored in Google Docs. Take a screenshot of the Meet attendance panel during the meeting to retain timestamped attendance evidence.
Confluence
In Confluence, navigate to the Compliance or Governance space from the left-hand menu. Click “Create” and select a meeting notes template or blank page titled “Quarterly Management Review – [Date].”
Document the agenda, attendees, discussion points, decisions, and action items directly on the page. Use the “Publish” button and ensure page history shows the creation and last updated dates for audit evidence.
Google Docs
In Google Drive, click “New” > “Google Docs” and create a document titled “Management Review Meeting Minutes – [Date].” Use headings for attendees, agenda items, decisions, and action items.
After finalizing, click “Share” and grant view access to executive leadership. Confirm the document shows the correct creation date and last edited timestamp in the “File” > “Version history” menu.
Common Audit Findings
- Meetings not held quarterly
- Organizations sometimes miss scheduled reviews due to executive availability. Prevent this by scheduling all quarterly meetings at the start of the year and tracking completion in a compliance calendar.
- Lack of documented decisions
- Meetings occur but outcomes are not formally documented. Ensure detailed minutes are recorded and approved after each meeting to demonstrate management oversight.
- Action items not tracked
- Auditors often find no evidence that identified issues were followed up. Maintain an action item tracker with owners, due dates, and completion status.
- Insufficient attendance evidence
- Attendance is discussed but not proven. Capture attendance via calendar invites, Meet screenshots, or documented attendee lists in meeting minutes.