Suppose your organization is considering embarking on a SOC 2 report journey, either to satisfy a new annual requirement from a customer or to win a major new contract. If that is the case, you may also be wondering how long the process will take.
SOC 2 Type 1 vs. SOC 2 Type 2: Impact on Testing Timeframe
It is first important to note the distinction between a SOC 2 Type 1 report and a SOC 2 Type 2 report, as the type of SOC 2 report will impact the level of effort and timing required for undergoing an examination and issuing the first report. The difference in reporting is as follows:
- A SOC 2 Type 1 report is “as of a point in time” and addresses the design of controls.
- A SOC 2 Type 2 report covers a period of time, addresses the design of controls, and an independent auditor tests the operating effectiveness of controls.
How does the SOC 2 report type impact testing? Let’s look at change management as an example. In a SOC 2 Type 1 examination, your auditor will likely only test one recent release to observe or inspect the controls in place surrounding change management (i.e., that the change was properly reviewed and approved, underwent testing prior to release).
In a SOC 2 Type 2 examination, however, your auditor will select a sample of releases or code commits from a population that covers the entire period. The total number of releases or commits selected for testing depends on a few factors, including:
- Frequency of changes during the period
- Number of applications in scope for your system
- Level of risk that the auditor assesses using their judgment for the controls to be tested
- Scope of the examination and resulting report
Due to the level of effort required, the amount of time needed for Type 1 and Type 2 reports varies drastically.
SOC 2 Examination Key Phases
In preparing for a SOC 2 examination for the first time, there are typically a few phases:
.jpg/40a94e12408811f0ab751a4a9907814d)
Phase I: Readiness Assessment (1 – 2 Months)
Prior to engaging an independent third party to perform your SOC 2 examination, it is recommended to perform a readiness assessment to identify the principal service commitments covered by the system or services, document the control activities, and then map your controls to the selected Trust Services Criteria (TSC).
This process of identifying existing controls and gaps typically takes a few weeks and involves interview sessions and document/content sharing with various stakeholders within the organization to identify what controls currently exist and where additional controls may be recommended. If consulting with a third party, such as Cherry Bekaert, the final deliverable of the readiness assessment typically consists of:
- A listing of management’s identified controls mapped to the TSC and applicable points of focus
- The current status of those controls (like a health check status)
- Other identified gaps and weaknesses for remediation
When using a third-party, the readiness assessment phase typically lasts from one to two months from initial engagement through final delivery of a control set.
Phase II: Policy and Control Implementation (1 – 6 Months, Depending on Maturity Level)
During the readiness process, gaps or controls that may need to be remediated or implemented by management may be identified to successfully undergo a SOC 2 examination. When required, service organizations may elect to (1) proceed to a period of remediation, (2) implement controls to demonstrate commitment to principal service commitments, or (3) address recommendations for better control maturity or coverage.
If gaps are identified during the readiness assessment, the organization will want to allow time for these gaps to be remediated. Some gaps may require a significant amount of time to be implemented before undergoing an examination. Examples of more significant gaps include the implementation of a ticketing system or a Security Information and Event Management (SIEM) system, establishment of a risk assessment process. Other gaps may be minor, and if electing to undergo a SOC 2 Type 1 examination first, they may require less time for remediation and may allow for a Type 1 audit to start while still resolving the gaps.
Phase III: Audit Fieldwork
Many organizations elect to first undergo a SOC 2 Type 1 examination to obtain a final report in hand faster and treat the examination as a “mini audit” to get a feel for what will be expected from an evidence and audit process standpoint for a full SOC 2 Type 2 examination. The timing for both types of examinations is typically as follows:
SOC 2 Type 1 (Commences Immediately)
Because a SOC 2 Type 1 report is “as of a point in time” and tests the design of controls, testing can begin as soon as the organization is confident that the identified controls have been implemented.
Fieldwork timing for a SOC 2 Type 1 examination can range from a few weeks to one to two months, depending on factors such as client preparedness, staffing capacity and timeliness in responding to audit requests.
SOC 2 Type 2 (3 – 12 Months)
Although the AICPA does not specify a minimum allowable audit period for a SOC 2 Type 2 examination, the shortest testing period typically seen in practice is three months. Once established, most organizations undergo annual examinations. However, some elect to obtain reports more frequently and will opt for rolling six-month or quarterly test periods, if service commitments or client demands require it.
For first-time SOC 2 Type 2 examinations, many organizations will opt for a three-month test period to obtain the final audit report as soon as possible. This also allows the organization to identify potential control failures and other challenges earlier.
With proper planning, fieldwork for a SOC 2 Type 2 report can range from one to two months; however, this timeframe also depends on factors such as client preparedness, staffing capacity and timeliness in responding to audit requests.
During the test period, the auditor will request to perform interim and/or design procedures on all controls, especially automated or configured controls, to ensure that they were in place during the test period. Depending on the size of the control set and number of systems in scope, this interim/design testing period could take a few weeks.
Near the end of the test period or shortly after, the auditor will then request that sample populations be provided to test the operating effectiveness of certain controls. This may include:
- Human resources (HR) controls (e.g., sampling new hires to ensure background checks were performed or sampling employees to ensure that annual performance reviews occurred)
- Certain logical access controls (e.g., sampling servers and workstations to ensure endpoints are protected)
- Any controls that operate on a daily, weekly or monthly cadence
Phase IV: Audit Wrap Up and Report Issuance (1 Month)
Once all requested evidence has been provided to the auditor and fieldwork has been completed, the audit report and test workpapers will need to go through the audit firm’s review and quality control processes. There may be some follow-up requests that arise from this review, and typically, the process will take around three to four weeks.
Avoiding Pitfalls: How To Manage Common SOC 2 Challenges
Beginning With a Type 2 Examination
It is unlikely that an auditor will recommend jumping directly into a SOC 2 Type 2 for a first-time examination. The risk of receiving a “qualified opinion” due to failures in the design or operation of controls is higher, which could jeopardize customer relationships and trust in system and services. Even if your company is confident that the controls identified have been fully implemented, the auditor may uncover that certain key controls are not operating effectively and require remediation. Additionally, there is a risk that some controls may have been performed but cannot be evidenced, leading to exceptions, scope limitations or report qualifications.
Instead of starting with a SOC 2 Type 2 examination, consider first undergoing a SOC 2 Type 1. This approach allows you to understand what evidence will be acceptable by the auditor. A SOC 2 Type 1 engagement is more cost-effective and serves as a steppingstone towards a successful SOC 2 Type 2 examination.
Although jumping directly into a Type 2 without any form of readiness or Type 1 examination poses of risk of an unfavorable report being rendered, we have seen engagements undergo other assurance services that allow for a smoother transition directly into a SOC 2 Type 2. In these circumstances, where your company has maturity in other compliance or certification initiatives, it may be beneficial to jump directly into a SOC 2 Type 2.
If receiving pressure from customers to issue a report as quickly as possible, it may be beneficial to ask them if they would accept a Type 1 initially and then commit to a subsequent Type 2 after allowing sufficient time to demonstrate that controls are operating.
Over Testing Trust Services Criteria
A common misconception is that to issue your first SOC 2 report, an organization needs to address all five TSC. Customers may also request that your SOC 2 report cover all the TSC without understanding that not all criteria are applicable to your organization or your principal service commitments. It is important to have these conversations with customers, prospects and business partners who are asking for a SOC 2 report to ensure their TSC needs are met.
You can reduce the extent of procedures performed by focusing on the Security criteria first and then layering in additional criteria as applicable in future examinations. Although there is room for overlap amongst the common criteria and other criteria such as Availability and Confidentiality, the cost of a SOC 2 examination increases incrementally as additional criteria are layered in to capture the time and effort of testing unique controls mapped to each criterion.
Not Prioritizing Compliance
Undergoing a SOC 2 examination is a significant undertaking. While a company does not need a dedicated compliance function to successfully undergo a SOC 2 examination, having a compliance team or project management function overseeing the progress can ensure it progresses smoothly and on schedule. Depending on the timeline, service commitments, size of the organization and other factors, the resourcing needs vary for each engagement. If a company lacks a compliance function, it is essential to ensure that there are sufficient resources to respond to audit requests promptly and stay on track with target issuance deadlines.
Involving key control owners in the audit process is crucial. These individuals possess the skills and knowledge to accurately represent the controls. Although you may consult with your auditor as part of a readiness assessment before being engaged in a SOC 2 examination, the resulting control set is the organization’s responsibility. As an organization continues to evolve, it is vital to update the control set to reflect what is documented and occurring in practice, as well as to address new commitments as they arise. Ensuring the control set is up to date before starting the examination allows the auditor to develop an appropriate test plan and reduce unnecessary testing due to changes in audit approach mid-examination.
How Can Cherry Bekaert Help
Cherry Bekaert’s Risk & Cybersecurity professionals have more than three decades of SOC and information assurance experience across all industries and disciplines, serving on state-level boards and AICPA committees that oversee the implementation of TSC standards updates. Whether you are just beginning your SOC examination journey or completing your recurring annual examination, our dedicated teams work closely with your organization to help you achieve your goals. Reach out to your Cherry Bekaert advisor or a member of our Information Assurance & Cybersecurity practice to start your SOC 2 journey today.
Related Insights
- Article: SOC 2 Trust Service Criteria Explained: What You Need to Know
- Podcast: An Introduction to SOC 2 Reports
- Webinar Recording: A Comprehensive Guide to SOC 2 Reporting
