We get asked all the time how long it takes to complete a SOC [SOC 1 (f. SSAE 16) or SOC 2] examination. Unfortunately, there is not an answer that fits for every examination because every service organization is different. A SOC 1 is tailored to the services that a service organization provides to its clients so the number of control objectives varies. The more control objectives included in the report generally means the longer the examination will take. The size of the service organization also has an impact on the amount of time an examination will take. A really large organization will take longer to audit than a smaller organization.
For a service organization getting a SOC 1 or SOC 2 for the first time from Linford & Company, we usually estimate that we will need two weeks onsite. The first of these weeks is shortly after we engage with a client for a pre-assessment, which we include at no extra charge. The second week onsite will be close to the end of the period under review for testing. For larger service organizations, or examinations that include a lot more control objectives, the testing could take place over multiple weeks. After this onsite fieldwork, we complete internal reviews of our work and then prepare the report which will take another week.
So when is the best time to start considering a SOC examination and have auditors onsite? If you are a service organization that is getting asked to provide a SOC report by a client, it is best to inquire what date they need to have the report. If it is within a few months, you will need to get moving. The minimum period that can be covered in a Type II examination is six months. If a report is needed within a few months, there would have to be a look-back period when controls are tested on how they operated in the past. This is fine for a service organization that has tight controls though this is not always the case, especially with service organizations that are going through this for the first time. If the client does not need the report right away, or wants it the following year, that allows for time to have a pre-assessment performed, remediation to take place and then the period under review to start to ensure successful results.
At Linford & Company we recommend that as soon as a service organization knows they will require a SOC report, they start planning right away. This will help ensure there is an appropriate amount of time for planning, remediation and a successful testing period.