PAYMENT PORTAL>>

Skip to content
    side view of woman working on a laptop

    SOC Audit Process Explained: Timeline, Fieldwork & Reporting Phases

    Article Summary

    • A SOC exam typically spans multiple phases: control gap assessment (hours to days), control design and implementation (1–6 months), fieldwork (3 days–3 weeks), and reporting (1–2 months).
    • Identifying whether a SOC 1, SOC 2, or SOC 3 report is needed depends on whether services impact financial reporting or IT/security controls.
    • Organizations must define control objectives (SOC 1) or select applicable Trust Services Criteria principles (SOC 2/3) and implement documented controls.
    • Internal audit teams and GRC tools can significantly streamline preparation, evidence collection, and control documentation.
    • Even if exceptions are found during testing, a report may still receive a clean opinion if deficiencies are not material.

     

    How Long Does A SOC Exam Take?

    When a service organization has decided they will need a SOC exam performed, they often wonder what the next step should be or how long the exam will take. The SOC exam process can be defined in the following phases:

    1. Control Gap Assessment (2 hours to few days)
    2. Control Design and Implementation (1 to 6 months)
    3. SOC Narrative preparation SOC controls listing (completed during Control design and Implementation phase)
    4. SOC Independent Auditors’ fieldwork (3 days to 3 weeks)
    5. SOC Reporting (1 to 2 months)

    More details of each phase are noted below:

    Control Gap Assessment

    During this phase, service organizations gain understanding of what controls they lack in addressing the various control objectives (SOC 1) or Trust Criteria (SOC2). This can be done with the auditor’s help or can be done by performing their own analysis of what controls exist which address the various criteria. This phase can take a few hours to a few days depending on the size of the organization, depth of the analysis, and the complexity of the systems.

    Larson & Company provides a free 2-hour initial SOC readiness assessment to help identify any control gaps a service organization may need to correct and any control design deficiencies. The most commonly identified control gap for a company preparing for a SOC exam for the first time relates to the documentation relating to formalizing policies or documenting the performance of controls, such as independent review signoffs or approval of code changes before migration to the production environment. This assessment will also provide the auditor detailed information on the number and type of controls related to the SOC exam, allowing the auditor to then provide a more detailed analysis to determine the nature, timing, and extent of testing required for the SOC exam and provide the service organization a more accurate engagement fee estimate for the exam.

    Control Design and Implementation

    Once the service organization understands the areas where controls may be lacking as a result of the control gap assessment performed, they are then ready to design and implement these controls. It is important to note that besides the mere deployment of a procedures, a well-designed control should also incorporate the review and documentation of procedures. For example, if an entity deploys a new intrusion detection system, the control should also be coupled with notification of appropriate parties, review by appropriate parties, as well as proper documentation of incidents and resulting plans to mitigate incidents. This phase usually takes about 1 month to 6 months depending on the number of controls that need to be implemented and their complexity.

    SOC Narrative Preparation and List of Controls

    As part of the SOC exam, service organizations are also required to prepare their description of the system which will be included as part of the SOC report. This description will include the services being provided by the system, service commitments and system requirements, and a general overview of the system environment, including any subservice organizations or user control considerations. A list of controls is also provided by the service organization to the SOC auditors, mapped to the various criteria or control objectives, so the SOC auditors can begin to plan in detail the nature, extent, and timing of their testing.

    This phase of the SOC exam process can be performed during the Control Design and Implementation phase. Although it is ideal for the narrative to be prepared prior to exam fieldwork beginning, in practice, this is most likely to be finalized during or after fieldwork as changes in the wording of controls may occur during the testing performed by the auditor.

    SOC Independent Auditors’ Fieldwork

    Once the first three phases are completed and controls are provided to the auditors, the auditors will then be ready to create a list of requests that are needed to begin the exam fieldwork. During the exam fieldwork, auditors will be onsite to conduct various interviews and walkthroughs to observe how controls are functioning, select samples, request additional evidence of controls documentation, and document the results of their testing. Constant communication between the service organization and the auditor during this phase is essential. This ensures a complete understanding of the controls by the auditor and determines whether changes in control descriptions are necessary. It is also essential that all parties understand and agree on the cause and impact of exceptions that may be discovered from testing. The amount of time the auditors will be onsite to perform these tests will be dependent on the complexity of the system and availability of the control documentation necessary for testing, but generally fieldwork lasts between 3 days to 3 weeks.

    SOC Reporting

    Once exam testing is complete, the auditor and the service organization will work together to finish drafting and proofing the report. For SOC 1 Type 2 and SOC 2 Type 2 reports, in accordance with reporting guidelines, any exceptions found by the auditor during testing must be listed in the results of the report. It is not uncommon for exceptions to arise from testing performed. While such exceptions will appear in the results section of the report, as long as exceptions noted are not material enough to indicate a likelihood that the control objective would not be achieved, the auditor’s opinion on the report may still be a “clean” opinion. Management of the service organization may also respond to any exceptions noted from the exam in the report integrated with the report of testing of operating effectiveness or as a separate section of the report. This phase of the SOC exam usually takes about 1 to 2 months.

     

    How to be SOC ready

    More and more customers are requesting service organizations to obtain a Service Organization Control (SOC) audit in order be qualified to become their vendors. When such requests are received, how does a service organization prepare for a SOC audit? The following steps describe the typical stages of a SOC audit.

    Identify which SOC audit is needed

    There are two SOC audit focuses among the different SOC audits available; financial focused controls audits (SOC 1) and IT environment focused controls audits (SOC 2 and SOC 3). The main determining factor for which SOC audit a service organization will need is based on what services a vendor provides for its customers. For example, customers of data hosting services like Amazon Web Services Cloud (AWS) or Microsoft Azure will be more interested in a SOC 2 or SOC 3 audit. Since AWS and Azure do not take responsibility for providing any financial reporting, but do provide the security and availability of their customer’s data hosted at their datacenters. Conversely, customers of payroll processors, like ADP, will probably be most interested in the accuracy and completeness of their processing and reporting, thus requiring a SOC 1 report. At times, the customer of the service organization may not even know the differences between these reports. Some research may be necessary with the service organization and their customers to help them determine which SOC audit report is right for them. A more in-depth discussion regarding the differences in these reports can be found in our white-paper titled Building Trust by Obtaining a Service Auditor’s Report.

    After identifying the report, you must decide on the control objectives or applicable principles to narrow the scope.

    After the audit focus is decided between SOC 1, SOC 2, and/or SOC 3 reports, you will need to determine the scope of the report. This can be done by coming up with applicable control objectives for SOC 1 reports, or by selecting the applicable principles for a SOC 2 and SOC 3 report.

    Since SOC 1 reports focus more on financial reporting, the service organization will need to determine the control objectives that would impact the financial reporting of processing transactions. Continuing our example above, one of the control objectives ADP may identify would be “controls provide reasonable assurance that the reports generated for customers are complete and accurate” and/or “controls provide reasonable assurance that only authorized individuals can make changes to the payroll file.” Since each service organization’s controls are different, entities must determine, on their own, all applicable control objectives for their report.

    For SOC 2 reports, instead of coming up with their own control objectives, service organizations will need to determine which principles are applicable for their system. There are five principles a service organization can choose from: security, availability, confidentiality, processing integrity, and privacy. Once a principle is chosen, an organization will need to have controls that address a list of criteria specified for the principles chosen. A service organization can choose between one to all of the principles for testing. However, at a minimum, the security principle must be chosen.

    After identifying the control objectives or applicable principles related to the SOC audit, the service organization will need to determine what controls address the control objectives or criteria.

    Deciding on what controls and how many controls are needed to sufficiently address the respective control objectives (SOC1) or control principles requires judgement (SOC 2 &SOC 3). This may be the most time consuming stage of the audit for the service organization and requires some assistance and guidance from your auditor. Larson & Company provides a 2-hour free initial SOC readiness assessment to help identify any controls gaps that a service organization may need to correct and any control design deficiencies. The most commonly identified control gap for a company that has never gone through a SOC audit relates to the documentation of the performance of control, such as independent review sign-offs or approval of code changes before migration to the production environment. This assessment will also provide the auditor detailed information on the number and type of controls related to the SOC audit, allowing them to then provide a more detailed analysis to determine the nature, timing, and extent of testing the audit requires and provide the service organization a more accurate engagement fee estimate for the audit.

    Preparation of Management Description

    When the service organization has fully implemented all required controls, they are then ready to begin preparing the management description that will be included as part of the SOC report. Although it is the most ideal for this to occur before the audit fieldwork begins, in practice, this is most likely to be completed during or after fieldwork as changes in the wording of controls may occur during the testing performed by the auditor. The management description should include an overview of services provided by the service organization, the system’s relevant internal controls, relevant COSO internal control framework, lists of subservice organizations that are utilized by the system, and any user or subservice organization control considerations.

    Ready for audit fieldwork

    Once the items above are completed and provided to the auditors, the auditors will then be ready to create a list of requests that are needed to begin the audit fieldwork. During the audit fieldwork, auditors will be onsite to conduct various interviews to observe how controls are functioning, select samples and request additional evidence of controls documentation, and document the results of their testing. Constant communication between the service organization and the auditor during this stage is essential. This ensures a complete understanding of the controls by the auditor and determine whether changes in the control description are necessary. It is also essential that all parties understand and agree on the cause and impact of the exceptions that may be discovered from testing. The amount of time the auditors will be onsite to perform these tests will be dependent on the complexity of the system and availability of the controls documentation necessary for testing.

    Wrap-Up

    Once testing is complete, the auditor and the service organization will finish drafting and proofing the reports together. For SOC 1 Type 2 and SOC 2 Type 2 reports, in accordance with reporting guidelines, any exceptions found must be listed in the results of the report. It is not uncommon for exceptions to occur from the testing performed. While such exceptions will appear in the results section of the report, as long as such exceptions noted are not so material that it will warrant a likelihood that the control objective would not be achieved, the opinion on the report may still be a “clean” opinion. Management of the service organization may also respond to any exceptions noted from the audit in the report as a separate section of the report (only listed in SOC 1 and SOC 2 audits).

     

    Internal Audit Power: How Internal Audit Can Help Prepare for a SOC Audit

    Who takes responsibility for a Service Organization Control (SOC) audit?

    Yes, the title gave away the answer a bit. Although the responsibility for the completion of a SOC audit will rest with the board of directors and can be delegated to a key member of management (e.g. controller), an organization’s internal audit department (IA) is in the best position to do the leg work to prepare the company for a successful SOC audit.

    IA should already be familiar with some accounting processes applicable in a SOC. The main areas where IA will have familiarity are control objectives regarding transaction processing integrity. Often IA has been tasked with reviewing the transaction processing of some other department. They may conduct random audits of that department’s activities or select activities with a specific criteria, such as a dollar threshold or transactions handled by new employees.

    For control objectives regarding network security, data backup, software changes, etc., IA may not be as familiar with applicable processes. However, IA typically is a) trained to select transactions using sampling methods and risk, and then to evaluate those transactions and formulate a report; b) understands control terminology and concepts such as automated versus manual controls and the differences among preventive, detective, and corrective controls; and c) understands audit documentation standards. These methodologies, concepts, and competencies can be applied to all control objective areas. The following example demonstrates how sampling method (method), control concepts (concept), and documentation competency (competency) can be relevant.

    Take the control objective “controls provide reasonable assurance that data is backed up regularly.” An identified control in this area could be that a system backup is automatically run each night to tape and a log is generated showing successful completion or potential errors. IA understands that part of this control happens automatically, so they observe a single instance of the log generated by the system (method – check). However, they also understand part of this control is manual and corrective, i.e. after the log is automatically generated, an employee must then review the log manually and resolve/correct errors (concept – check). Finally, to prove the control occurred there must be documentation, so IA will recommend that the employee charged with resolution documents this event (competency – check).

    As IA follows this process for each control objective and identified control, they are preparing an effective and documented set of controls which will allow the company to have a successful SOC audit.

     

    Maximizing GRC Tool Implementation for SOC Audit Success: Lessons from the Field

    As SOC auditors, we often hear the same question from clients exploring GRC tools: “Will this save us time?” The answer is often “it depends”. While GRC tools streamline evidence collection and monitoring, the greatest time savings occur on the client side—by reducing the resources needed to gather and organize audit evidence.

    Here are four essential tips for implementing GRC tools effectively, drawn from our experience working with AICPA SOC clients:

    1. Scope and Applicability Analysis: Don’t Over-Control

    Before diving into configuration, spend time ensuring your control framework is scoped appropriately. Not all controls are relevant to every organization. For example, if your Company’s system is hosted entirely in the cloud, physical security controls like badge access or surveillance cameras may not apply. This step helps narrow the scope to avoid unnecessary complexity and helps auditors focus on what truly matters.

    2. Invest in Proper Setup: Garbage In, Garbage Out

    A GRC tool is only as good as its configuration. If the tool isn’t set up correctly, automated outputs like JSON files may be incomplete or misleading. We’ve seen cases where Drata tests were referenced but not visible to auditors, making it difficult to evaluate their appropriateness.

    3. Assign Control Owners: Tools Don’t Replace People

    GRC platforms automate monitoring, but they don’t replace accountability. Each control still needs a designated owner who understands the control, ensures it’s properly configured, and reviews the results. This human oversight is critical to maintaining audit integrity.

    4. Enable Appropriate Auditor Access: Transparency Matters

    Clients often forget to enable auditor access beyond just uploading files. For example, GRC tools sometimes offers auditors "Read only access to the entire app" which provides a secure, view-only environment to access compliance evidence and collaborate on audits without the risk of accidental changes. Granting read-only access to dashboards and test results allows auditors to verify controls directly, reducing back-and-forth and improving trust in the tool’s outputs.

    Final Thoughts

    GRC tools can be powerful allies in SOC audits—but only when implemented thoughtfully. By focusing on scope, setup, ownership, and access, clients can unlock real efficiencies and strengthen their control environment.

    For additional guidance, contact Larson & Company SOC Team today. Find out more about our IT and SOC Audit services developed specifically to serve the needs of companies of all sizes in a wide range of industries.

     

    Frequently Asked Questions About The SOC Audit Process

    How long does a SOC audit take?
    A SOC audit can take several months end-to-end. Control implementation may take 1–6 months, fieldwork typically lasts 3 days to 3 weeks, and final reporting takes 1–2 months. Preparation time varies depending on existing controls and documentation maturity.

    What is the first step in preparing for a SOC audit?
    The first step is performing a control gap assessment to identify missing or poorly documented controls. This helps determine readiness and estimate the scope, timing, and cost of the engagement.

    What is the difference between SOC 1 and SOC 2?
    SOC 1 focuses on controls impacting financial reporting. SOC 2 focuses on IT and security controls related to the Trust Services Criteria: security, availability, confidentiality, processing integrity, and privacy.

    Can you still receive a clean SOC opinion if exceptions are found?
    Yes. Exceptions are common. As long as they are not material enough to impact the likelihood that control objectives are achieved, the auditor may still issue a clean opinion.

    How can internal audit or GRC tools help with SOC readiness?
    Internal audit teams help evaluate, document, and test controls before fieldwork. GRC tools streamline evidence collection and monitoring, but proper configuration, control ownership, and auditor access are essential for success.

     
    Posted by Larson And Company

    RANKINGS AND RECOGNITIONS

    IPA - 2025 Award Logo - Top 300 Firms-white
    IPA - Award Logo - Fastest Growing Firm copy (1)
    Utah Business Best Companies graphic-01
    2025bestof white
    AMBest
    utah ranking white sm-1
    100 Businesses Seal_White_NoBG