Andrew Wan, CPA, CFE, is the leader of our Emerging Industries and Small to Medium Sized Business Practice Groups. He is an expert in IT auditing services and compliance issues for a wide range of companies.

 

A SOC Type 1 report is a report which provides an opinion on whether or not controls are implemented as of a certain day but does not provide an opinion on the operating effectiveness of those controls. Many users entities (i.e. subservice organization’s customers and their auditors) request that service organizations provide a SOC Type 2 report to provide comfort that controls are operating effectively throughout a period of time. In practice, most user auditors and user entities will need such evidence in order to truly rely on the SOC report to minimize or eliminate their testing of controls in place at the service organization.  Most Type 2 reports cover a 12-month period, however, there is currently no required minimum period length which the report must cover. So how does a service organization decide what period of time the SOC Type 2 report should cover to address a wide variety of user entities’ needs? There are mainly two factors to consider:

  • User Entities’ Reporting Periods
  • Service Organization Resources

Consideration 1: User Entities’ Reporting Periods

The first determining factor when determining the appropriate period for a Type 2 report is to consider the user entities’ reporting periods.

This excerpt from the AICPA SOC 1 Audit Guide provides some guidance for consideration.

2.15 The user auditor should evaluate whether the period covered by a given type 2 report is appropriate for the user auditor’s purposes. To provide evidence in support of the user auditor’s risk assessment, the period covered by the type 2 report would need to overlap a substantial portion of the period covered by the user entity’s financial statements being audited.

As noted in the excerpt above, a user auditor will consider the SOC 2 Type 2 report most beneficial if it overlaps a substantial portion of the period covered by the user entity’s financial statements being audited. A general rule of thumb in the industry to define “substantial” is that the report overlaps at least six months of the user entity’s financial statement period.

The AICPA SOC 1 Audit Guide further clarifies this with the following examples:

2.17 The service organization may consider the following examples when determining an appropriate test period for a type 2 report.

Example 1. The majority of user entities have calendar year-ends. The service organization may want to provide a type 2 report for the period January 1, 20X0, to December 31, 20X0, to maximize the usefulness of the report to user entities and their auditors.

Example 2. User entities have year-ends that span all months of the year. The service organization determines that issuing a report each quarter (or more often than annually) with tests of operating effectiveness that cover twelve months is most likely to maximize the usefulness of the report to user entities and their auditors.

As these examples illustrate, a primary driving force for the determination of a Company’s SOC Type 2 report period is determined by the user entities’ reporting year-ends. The general rule of thumb is that the report period should cover at least six months of the user entities’ financial statement period, with its renewal on an annual basis. As illustrated in Example 2 above, some service organizations may require more frequent reporting to satisfy a wide variety of user entity year-ends. This is common for service organizations such as payroll or cloud computing companies.

Consideration 2: Service Organization Resources

Another factor to consider is the level of resources that may be available to respond to SOC examination requests. An organization may not want to have an examination taking place concurrently with other large organizational initiatives. When this overlap is present, one option to consider is to shift the exam period slightly to a period when resources are available to oversee the SOC exam while still accommodating the need for the report to cover a substantial portion of the period covered by the user entity’s financial statements being audited. For example, if the majority of a service organization’s user entities have calendar year-ends but the service organization is not be able to get the report completed in Q4 due to personnel constraints (e.g. open enrollment for insurance carriers), then an acceptable alternative timing may be from October 1, 20X9 to September 30, 20X0. in order to provide comfort to user entities or their auditors for the last 3 months of the calendar year not covered by the SOC Type 2 report, a service organization may issue a bridge letter (also known as a gap letter) which states that there have been no significant changes to the controls or control environment for the last 3 months of the calendar year.

More SOC questions?

Larson & Company has extensive experience helping companies of all sizes with their SOC examinations and is ready to assist you with any further questions. Please feel free to reach out to Andrew Wan at awan@larsco.com for more information.