SOC 2 Frequency: What You Should Know
SOC 2 Audit Frequency: Types 1 & 2
When you start the audit process with an auditor, you will need to decide on the first audit period. While your auditor might give you some guidance as to when to start your audit period, it is up to you when the audit period starts and when it ends. In this blog, we will discuss the how frequently a SOC 2 audit should be performed.
For a SOC 2 Type 1 you will choose the earliest date that all the controls are in place. You normally only do a SOC 2 Type 1 report once. You might do it again if you have significant changes and need a report to show customers those changes. From the Type 1 report, you will move to a SOC 2 Type 2 report.
For a SOC 2 Type 2, you will want to choose a start date when all the controls are in place and you are following them.
With the creation of compliance platforms like Vanta and Secureframe a minimum audit period for a SOC 2 Type 2 is usually 3 months. Clients usually do a shortened period of 3-6 months the first time and then move to a 12-month period after that.
That schedule will get you a SOC 2 Type 2 report sooner to show prospective clients and close deals. From there you usually move to a 12-month audit period to show them that you continue to stay compliant.
READ MORE: What is the difference between SOC 2 Type 1 and SOC 2 Type 2
A SOC 2 report or attestation doesn’t really expire but, your customers will be looking for a new report annually. Often you will be asked for a bridge letter to cover the period since the last audit report.
READ MORE: What is a SOC 2 Bridge Letter?
One of the most important things to know is that once you start the SOC 2 audit process, you should always be under an audit period or window.
Once your initial audit period is over and you have received your report, it is important to stay on top of your controls and begin preparing for your next audit period in accordance with SOC 2 frequency. Any gaps between reporting periods could result in having to explain to your clients what happened, which can be avoided by consistent and timely audits.