SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Year 1 vs. Recurring SOC 2 Examinations: The Effort Involved Blog Feature
Nate Kocan

By: Nate Kocan

Print/Save as PDF

Year 1 vs. Recurring SOC 2 Examinations: The Effort Involved

SOC Examinations

When committing to a SOC 2 examination—or any compliance initiative—one of the first questions that gets asked regards the necessary budget and time commitments. While this will vary among different organizations—depending on a few different factors—there’s also variance in the effort required to both prepare for that first examination and that spent on the ones in the following years.

As a SOC 2 examination is generally an annual audit, it’s important to know what you’re getting into beforehand. As a leading provider of SOC reports, we’re going to break it down for you.

In this article, we’ll compare five areas where your effort will be required in both year 1 and recurring SOC 2 examinations and note the differences so that you have a better idea of the lift you’ll be expected to make throughout this long-term commitment.

 

The Labor Difference Between Year 1 and Recurring SOC 2 Examinations

Think of a SOC 2 examination as if you’re building a house to live in. First, you have to build it—get the frame in place, roof it, solidify the walls, and furnish it. That’ll take time, but once it’s built, any maintenance, additions, or updates should take less time since you’ll already have the established structure there as a baseline.

What to Expect Effort-Wise During Your Year 1 SOC Examination

Your first SOC 2 experience will be a bit like building that house, and the time and effort you’ll spend to “construct” it—or, to get ready to be assessed—will depend on a few things, like:

  • System complexity;
  • Any relevant SOC 2 documentation or controls that already exist;
  • Which Trust Services Categories are in-scope; and
  • The maturity of the control environment and knowledge of the control owners.

That being said, several areas generally demand time and resources during your first SOC 2 examination:

  1. Engagement Scoping: In starting from scratch in shaping your SOC 2 examination, you’ll need to dedicate time and effort to define the audit scope and establish system boundaries, which will involve:
    • Internal collaboration;
    • Understanding customer or client expectations; and
    • Coordination with your contracted service auditors to determine the covered system and preferred reporting date or period for the initial SOC 2 report, whether it’s a Type 1 or Type 2 report.
  2. Control Implementation and Gap Assessment: Though an optional first step, organizations typically undergo control mapping or gap assessments ahead of their first SOC 2 examination. Whether this process is conducted internally or with external assistance, it will identify any remaining control gaps with respect to the applicable SOC 2 criteria so that you can understand your readiness before you begin a Type 1 SOC 2 examination or begin a Type 2 SOC 2 reporting period.

As helpful as this additional assessment may be, it will take time to perform.

 

  1. Documentation and Evidence Collection: In performing a SOC 2 examination, your service auditor will assess the design (Type 1) or design and operating effectiveness (Type 2) of your controls within the audit scope—to do that, they’ll need evidence from your environment.

    Therefore, you must plan evidence collection and create audit collection plans as outlined in the evidence request list that will be provided by your service auditor. These initial determinations of what to collect and who will provide it will take time.

  2. Acclimatization: Year 1 SOC 2 examinations often involve a learning curve for both the audit team and your organization, particularly during the detailed walkthroughs with service auditors—an essential process that involves thorough discussions between your control owners and your assessors so that the latter can gain a comprehensive understanding of organizational processes and the control environment.

  3. Reporting: Compiling SOC 2 reports entails various elements, including Section 3 of the report, which captures the system description in detail and all process descriptions within the control environment. In year 1, documenting these details for the first time may take more time than in subsequent audits.

The great news is, after you get through this initial process and all that time spent, no matter how complex your system is, once you complete this groundwork, the time spent on each subsequent SOC 2 cycle should be less since a lot of your upfront efforts will pave the way for future efficiencies.

 

What to Expect Effort-Wise During Your Recurring SOC Examination

To prove that, let’s revisit these five aforementioned areas to see what you can expect from an effort perspective in recurring SOC 2 audits:

  1. Engagement Scoping: Much of the scoping and readiness work will have been established in the first year, so your subsequent cycles will primarily involve scope reviews and adjustments to ensure continued alignment with organizational changes and customer expectations.

  2. Control Implementation and Gap Analysis: Following the initial implementation and gap analysis that would be performed in year 1, subsequent audits focus on continuous improvement of your control environment—including the maturation of processes and introduction of additional controls to mitigate emerging risks—but these spot enhancements should take less time.

  3. Documentation and Evidence Collection: Providing evidence of control design and operating effectiveness remains a significant aspect of recurring audits, but if—during year 1—you formally documented how to collect certain pieces of evidence and who initially collected what internally, you should be able to streamline that process in subsequent cycles.

Given that you’ll also already be familiar with service auditor requirements for evidence during subsequent examinations, you can instead work to maximize your first-time resolution on each request—i.e., providing the correct evidence the first time, allowing your service auditor to accept it and close out the item—which will help save stakeholders time and effort.

 

  1. Acclimatization: Your first SOC 2 examination will provide your service auditors with a full understanding of your controls and processes, so the aforementioned learning curve—and related possible delays—shouldn’t be an issue during subsequent audits when you’re concentrating on refining processes and introducing any mitigating measures to address new risks to the environment.

Working through these updates with your service auditor might require some dedicated walkthrough time, but since they’ll already have an understanding of your system, that will help eliminate the need to regurgitate the same processes in depth each cycle.

 

  1. Reporting: While periodic updates may be necessary to reflect changes in scope or control sets, the bulk of reporting efforts are concentrated in the first year—reports for your recurring SOC 2 examinations typically involve relatively minor updates and are primarily focused on reflecting organizational enhancements.

Moving Forward with a SOC 2 Examination

 

Once an organization gets through the first SOC 2 audit, in today’s day and age, providing at least an annual SOC 2 report to customers is likely to be an expected requirement. That said, before taking on the first SOC 2, it’s important to understand the time required for the Year 1 SOC 2 audit vs. the recurring SOC 2 audit, as those that follow will inherently differ in effort required from the labor necessary to prepare and go through your inaugural audit.

But as we’ve made clear, organizations can achieve efficiencies in their annual SOC 2 examinations by leveraging the groundwork laid during the first year as they instead work to improve their control environments through control maturity and other continuous improvement initiatives.

To learn more about SOC 2 examinations, what they entail, and what to expect, make sure to check out our other content detailing different aspects:

About Nate Kocan

Nate Kocan is a Manager within SOC Services practice of Schellman, based in Columbus, OH. Prior to joining Schellman, Nate specialized in SOC 1 audits and IT audits supporting financial statement audits. As a Manager with Schellman, Nate Kocan has over six years of experience compromised of serving clients in various industries, including cloud computing and data centers, financial services and fintech, and healthcare. Nate is focused primarily on SOC, HIPAA, and various attestation audits for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.