We are frequently asked how long it takes to complete a SOC examination. Unfortunately there is not an answer that fits for every examination because every service organization is different. But, if an organization has controls in place the average time taken for a SOC examination is typically one to three months for Type I reports, and six to 12 months for Type II reports. If controls are not in place, the examination can take longer.
What is a SOC 1 and a SOC 2?
A SOC 1 Report (Service Organization Controls Report) is a report on controls at a service organization that are relevant to user entities’ internal control over financial reporting. A SOC 1 is tailored to the services that a service organization provides to its clients, so the number of control objectives varies, along with what the control objectives cover.
For a SOC 2 Report, management of a service organization attests that certain controls are in place to meet some or all of the AICPA’s SOC 2 Trust Services Criteria (TSC). Management selects which of the five TSCs best address the risk of the services provided by the service organization. The Trust Services Criteria available are the following:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, and authorized.
- Confidentiality – Information that is designated “confidential” is protected according to policy or agreement.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.
For additional information of SOC 1 and SOC 2 see these articles:
In additional to there being a SOC 1 and a SOC 2 examination, each of these examinations can be a Type I or a Type II examination.
What is the Difference Between a Type I and a Type II?
Each SOC examination can be a Type I or a Type II. Type I reports are at a certain date that includes a description of the service organization’s controls as of a point-in-time. A Type I report includes an opinion on the design of controls as of the date specified in the report. There is no opinion on the operating effectiveness of controls over a period of time.
A Type II covers a period of time. The period of time is a minimum of six months, but is generally 12 months so there is no gap in coverage by the reports year-over-year. The report includes a description of the controls and also gives an opinion on the design and the operating effectiveness of the controls over the period of time specified in the report.
Does a Type II Take Longer Than a Type I?
A Type II SOC examination does not immediately mean the testing will take longer, though the amount of time required to get the report is different for a Type II vs a Type I. Because a Type I is as of a point-in-time, if a service organization has their controls in place and documented, an examination may be performed right away and a report generated. If controls are not in place, a pre-assessment or readiness assessment should be completed first and then a period of remediation will generally follow. Once controls are designed and in place, then the walkthroughs/testing of those controls can take place and a report generated.
For a Type II SOC examination, a period of time must pass when controls are operating, so if this is the initial examination, it could be around nine to 12 months before a report is in hand. If controls have been in place and are documented, it is possible to look backwards for the period under review, but this is rare for service organizations who have not been through a SOC examination before because there is not always documented evidence of the controls in place.
So to summarize the time between a Type I and a Type II SOC examination: once the clock starts and the controls are in place, a Type I report can be produced right away and a Type II can be produced after the period being covered passes (i.e. at least six months)
How Far Ahead Do We Plan for a SOC Examination?
For a service organization getting a SOC 1 or SOC 2 for the first time from Linford & Company, we usually estimate that we will need two weeks onsite. The first of these weeks is generally shortly after we engage with a client for a pre-assessment, which we include at no extra charge. The second week onsite will be close to the end of the period under review for testing (Type II), or right before the point-in-time date for a Type I. For larger service organizations, examinations that include a lot of control objectives (SOC 1), or SOC 2 examinations receiving multiple TSCs, the testing could take place over multiple weeks.
After the onsite fieldwork we complete internal reviews of our work and then prepare the report, which will take around another week. The subservice organization also reviews and provides feedback on their report before it is issued.
So when is the best time to start considering a SOC examination and have auditors onsite? If you are a service organization who is being asked to provide a SOC report by a client, it is best to inquire what date they need to have the report in their hand. If it is within a few months, you will need to get moving and contact a CPA firm that performs SOC examinations.
If the client does not need the report right away, or wants it the following year, that allows for time to have a pre-assessment performed, remediation to take place, and then the period under review to start to ensure successful results.
What if a Client Needs a Report Right Now?
Many of our new clients and prospects contact us because they being asked to provide a report right away. This is not always possible. With all of the new clients we engage with, we provide a memo on our letterhead that our clients can provide to their clients that says the examination is underway and gives an estimated date when the work will be complete and the report issued. This will generally appease a subservice organization’s clients until we can complete the examination and issue the report.
If a client is still adamant that they need a report right away, starting with a Type I examination would be the best option, as a point-in-time report could be turned around sooner than a Type II.
At Linford & Company we recommend that as soon as a service organization knows they will require a SOC report, they start planning right away. This will help ensure there is an appropriate amount of time for planning, remediation, and a successful testing period.
Please contact us if you want to learn more about SOC examinations.