How to Determine Your SOC Reporting Period & Report Validity
When planning for a SOC examination, there are several decisions that the service organization undergoing the evaluation must make in order to ensure their needs—as well as those of their customers—are met, be it deciding which vendors are subservice organizations, treatment of subservice organizations (carve-out vs. inclusive), or which type of report you need. Another key decision you must make is determining your SOC reporting period, and there are a few factors to consider before you do so.
As a leading provider of SOC reports, with over two decades of experience performing these examinations, we’ve experienced firsthand how properly structuring reporting periods can positively impact an organization’s compliance journey with clients, prospects, and internal personnel (who will benefit from the time savings).
In this blog post, we’ll determine three important factors that you should consider as you set your SOC examination reporting period, and we’ll also touch on the validity of your SOC report. That way, as you begin your SOC journey, you’ll be better equipped to plan and apply to your circumstances.
3 Big Factors to Consider When Setting Your SOC Reporting Period
Among all the different items that can influence a reporting period, there are three key questions you’ll need to answer when determining yours:
- Is sufficient audit evidence available?
- Is there an opportunity to align with other compliance initiatives?
- Does your reporting period support your user entities’ auditor’s purposes?
1. Is Sufficient Audit Evidence Available?
Important General Note: Evidence about the operation of controls in prior periods does not provide evidence of operating effectiveness during the current period. |
Why does this matter? The shorter the period over which the control is tested, the less likely your auditor will be able to obtain sufficient appropriate evidence to express an opinion on the effectiveness of your controls.
To demonstrate, let’s use a specific example for a SOC report covering six months. SOC 2 Availability criterion A1.3 states, “The entity tests recovery plan procedures supporting system recovery to meet its objectives.” Generally, organizations perform annual tests of their business continuity plan (BCP) / disaster recovery plan (DRP), but if that annual test isn’t performed within your determined 6-month reporting period, it won’t apply as evidence to that control, and without it, A1.3 criteria could be difficult to meet.
It also could get worse—if additional controls are not in place to meet the given criterion, it may impact whether your auditors can obtain enough evidence to support an opinion on that criterion. So, while your organization may have done nothing wrong, your SOC report is no longer “clean” due to your chosen structure of the reporting period.
It’s perhaps for this reason that most organizations opt for a 12-month reporting period (that doesn’t include the “ramp up” period—i.e., the transition from a Type 1 to Type 2).
2. Is There an Opportunity to Align with Other Compliance Initiatives?
But how long it’ll be is just one aspect—you’ll also need to determine when your reporting period will begin and end, and that can be influenced by any other compliance initiatives you’re currently pursuing.
These days, compliance isn’t just a requirement—more and more, it’s a market differentiator, which has many organizations pursuing different frameworks. And while multiple initiatives can also burden your teams, such can be reduced by structuring initiatives and aligning reporting periods. That is, if there’s overlap—common controls that apply to multiple frameworks—that overlap can and should be leveraged to save your team time.
Let’s say that your organization has been ISO 27001 certified and you’re thinking about adding SOC 2. Well, those planned ISO assessment dates should be considered when setting your SOC 2 reporting period so that you can perform the SOC 2 and ISO 27001 assessments around the same time and leverage testing between them.
(Of course, there will be other organizationally-specific factors—such as the availability of internal resources to support the engagement, structure of prior engagements that play a role, etc.—that will affect whether any alignment of testing periods is doable.)
3. Does Your Reporting Period Support Your User Entities’ Auditor’s Purposes? (SOC 1 Examinations ONLY)
If an auditor for a customer of yours determines that your controls are relevant to that customer’s financial statement audit, they’ll need to test them. Typically, service organizations with this obligation opt to just provide the user entity’s auditor with a Type 2 SOC 1 report (as it helps limit the number of people performing tests of your controls).
But if you do want to be able to provide a Type 2 SOC 1 report—which provides information on the operating effectiveness of controls relevant to the user auditor’s financial statement audit—the audit period needs to be appropriate for the user entity auditor’s purposes. To be useful, your SOC report needs to overlap substantially with the period covered by the user entity’s financial statement being audited.
If it doesn’t, the tests of your controls won’t help your user’s auditor much, which could mean your organization is subjected to additional testing.
How Long is Your SOC Report Valid?
Though not directly related, consideration of reporting periods often leads to one last point and frequent question that we consistently receive—"how long is my SOC report valid?”
Given the common structure of reporting periods, the general rule of thumb is 12 months; however, it’s entirely up to your customers and what they’re willing to accept. For its part, the AICPA doesn’t specify a period of time for report validity, though it only permits the use of the AICPA SOC logo for 12 months following the date of your report. (So, you just need to connect the dots.)
All that to say, annual SOC reports are a general expectation, and well-structured SOC programs cover rolling periods to avoid gaps in assurance to your customers. For instance, if your report covers January 1 to December 31, your next examination should begin on January 1 of the following year to maintain continuous coverage.
Next Steps for Your SOC Examination
Choosing the right SOC reporting period for your organization will involve finding a delicate balance between your operational readiness, client expectations, and your audit firm’s schedule.
That being said, while these factors are important, they should be considered in light of organizational goals. If your business is progressing from a Type 1 to a Type 2, an abbreviated period often makes sense if you value having a Type 2 report in hand as soon as possible. As compliance often is, it’s a cost-benefit analysis.
Making the right decisions to shape your upcoming SOC examination is critical, but so will making the right moves after your audit. To help with that, check out our other content:
About TERRY O'BRIEN
Terry O’Brien is a Director with Schellman. He is responsible for the management and execution of engagements across multiple service lines. Since joining in 2013, Terry has participated in business development activities and supported practice development initiatives via his participation in both the SOC and Cybersecurity Task Force. Terry has 10 years of IT compliance and attestation experience. Prior to his time at Schellman, he worked in the Advisory Services division of Grant Thornton in Chicago, Illinois.