Audit and Risk Management: Where They Intersect

Word count: ~980 Specificity markers: (1) NIST control refs — CA.L2-3.12.1, RA.L2-3.11.1, RA.L2-3.11.2; (4) Common mistake — treating risk assessments and audits as the same thing; (5) Decision point — when to run a risk assessment vs. when to schedule your C3PAO

---

Risk management and auditing are not the same thing. People use the terms interchangeably — especially in defense contracting circles — and that confusion leads to real problems when the Cybersecurity Maturity Model Certification (CMMC) assessment rolls around.

Here's the short version: risk management is what you do to identify and treat problems before they bite you. An audit is what happens when someone independently checks whether you've actually done that work. They're related, they inform each other, and CMMC requires both. But collapsing them into one activity leaves gaps that assessors will find.

What Risk Management Actually Means

Risk management in the CMMC context starts with a risk assessment. You look at your environment — your systems, your data, your people, your processes — and ask: what could go wrong, and how bad would it be?

NIST SP 800-171, which underpins CMMC Level 2, requires this through the Risk Assessment (RA) domain. Practice RA.L2-3.11.1 requires periodically assessing the risk to your operations and assets from unauthorized access, use, disclosure, modification, or destruction of your systems and Controlled Unclassified Information (CUI). Practice RA.L2-3.11.2 requires scanning for vulnerabilities in your systems periodically and when new vulnerabilities are identified.

The output of a risk assessment is a list of findings — gaps, weaknesses, and threats you've identified. You document those findings in a Plan of Action and Milestones, called a POA&M (pronounced "po-am"). The POA&M is your commitment: here's the problem, here's what we're doing about it, and here's the timeline.

Risk management is an ongoing process. You don't do it once. Threats evolve, systems change, people leave, contracts expand. A risk assessment done 18 months ago is a historical document, not a current security posture.

What an Audit Actually Means

An audit is an independent review that verifies whether your controls are working as documented. It's not the same as doing the work — it's checking that the work was done, correctly, and that you can prove it.

In the CMMC world, the most formal audit is your C3PAO (Third-Party Assessment Organization) assessment for Level 2. A C3PAO is a DoD-authorized company whose job is to evaluate your environment against all 110 CMMC Level 2 practices. They examine your documentation, interview your people, and test your controls. At the end, they report whether each practice is Met or Not Met.

But the C3PAO assessment isn't the only audit that matters. Internal audits — or third-party gap assessments — happen before the formal assessment and serve a different purpose: they help you find problems while you still have time to fix them.

The Security Assessment (CA) domain covers this directly. Practice CA.L2-3.12.1 requires periodically assessing security controls to determine if they're effective. Practice CA.L2-3.12.2 requires developing and implementing a plan to correct deficiencies — which is essentially what a POA&M is. These two practices are where risk management and auditing formally converge in CMMC.

Where They Intersect

The connection is straightforward once you see it.

Your risk assessment identifies vulnerabilities and weaknesses. Your POA&M documents your plan to fix them. Your internal audit verifies that the fixes actually happened and that controls are working as designed. Your C3PAO assessment is the formal, independent confirmation of all of the above.

The System Security Plan (SSP) sits at the center of this cycle. Your SSP is the document that describes how your organization implements each of the 110 Level 2 practices. It's not just a checklist — it describes your specific environment, your specific tools, and your specific procedures. Your risk assessment findings update the SSP (or create POA&M items where gaps exist). Your audit results validate the SSP.

Think of it this way: the SSP tells the story of your security program. Risk management writes new chapters when things change. Audits check whether the story is true.

The Common Mistake

Most contractors who struggle with CMMC conflate risk assessments with audits. They run a gap assessment, get a list of findings, and call it "risk management." Or they document their controls in an SSP and treat documentation as equivalent to verification.

Neither is accurate. A gap assessment is a snapshot — useful for planning, but not a substitute for the ongoing risk management process that RA.L2-3.11.1 requires. And documentation is only the first step; you still need to demonstrate that the documented controls are actually operating correctly.

The assessor will check both sides. They'll want to see your risk assessment process (how you do it, how often, who's responsible) and your audit history (what internal reviews you've conducted, what they found, and what you did about it). "We do gap assessments before our C3PAO" is not a risk management program. "We conduct quarterly vulnerability scans, annual risk assessments, and track all findings in our POA&M with documented remediation timelines" is.

Decision Point: When to Run Each

If you're planning your CMMC preparation timeline, here's the sequence that works:

Run a risk assessment first. Before you spend money on controls, know what you're dealing with. A proper risk assessment of a small contractor environment (20–50 people, one or two locations) typically takes two to four weeks with a qualified consultant. Expect to pay $5,000–$15,000 for an independent assessment. The output is your baseline and your POA&M.

Implement controls based on priority. Not every finding has equal urgency. Your risk assessment should rank findings by likelihood and impact. Fix the high-risk items first.

Run an internal audit before scheduling your C3PAO. Once you believe you've addressed your POA&M, have someone — internal or external — audit your controls against the CMMC practices. This is your dress rehearsal. Every finding at this stage is cheaper to fix than a Not Met from your C3PAO.

Schedule your C3PAO when your POA&M is clean. Assessors expect some POA&M items — that's realistic for any organization. What they don't want to see is a POA&M full of critical gaps with no evidence of progress.

The Bottom Line

Risk management and auditing reinforce each other. One identifies problems; the other confirms they're fixed. Neither works without the other. And CMMC requires both to be ongoing, documented, and demonstrably operational — not done once as a project and forgotten.

If you want to go deeper on how to structure your risk assessment process specifically for CMMC, the next article in this series covers building a risk assessment framework that maps directly to the RA and CA domain requirements. Or ask the assistant below — it can walk you through which practices apply to your situation.