We hear this question all the time from new clients and prospects. How long will it take for us to prepare the required documentation for a SOC report? How long will it take to get the report once we begin fieldwork? Unfortunately, this is one of those “it depends” answers. Following are some questions to consider when assessing how long it might take to complete your first time SOC audit.
Have you been through any compliance efforts in the past (e.g., PCI, ISO 27001, etc.)? If so, you may be able to leverage documentation such as policies and procedures from past compliance efforts.
How mature is your information security function? If you have a mature information security function already, the number of gaps that are necessary to remediate will likely be fewer than if you have an immature information security function.
When do your clients or prospects need the final report? If there is not an urgent need by your clients to have a SOC report, it might make sense to slow down and remediate any gaps, then wait at least six months and get a Type II SOC report for the first report. If you need the first report more quickly, then a Type I report may be the way to go following gap remediation.
Do you have time to go through a pre-assessment? Unless you have an urgent need to get a report as soon as possible, it is always a good idea to go through a pre-assessment first. A pre-assessment allows time to remediate gaps before getting your first report. It also increases the chances that your report will have a clean opinion.
What is the condition of your existing policies and procedures related to information security? If you have solid policies and procedures already, you won’t have to write as many policies before getting your first SOC report.
Do you have resources identified to help develop any missing policies and procedures and remediate gaps? Also, do the resources identified have time on their calendars to document new policies and procedures? If coordinating SOC compliance is just one job responsibility added to an otherwise already full employee’s schedule, then it will likely take a back seat to that employee’s primary job responsibilities.
Does the SOC audit firm you’ve identified have time available on their calendar to meet your report delivery deadlines? Check with the firm you are working with and make sure they can meet your reporting deadlines before engaging them to perform the work. Firms are generally busier in Q4 so if you can get on their schedule in Q1-Q3, you may get more attention which could result in getting your first report faster.
Are your report users (clients, prospects) ok with a Type I report for the first year? If so, that could reduce the amount of time required to receive your first report. For Type I reports, only the design of controls are tested. In Type II reports, design and operating effectiveness of controls are tested. For example, if a control needs to be remediated for a Type I report, the control can be remediated and doesn’t need to be operating effectively for a period of time as is required in a Type II.
If you haven’t gone through a SOC audit before, there are bound to be gaps in your processes and controls that need to be remediated prior to obtaining a SOC report with a clean opinion. How long it take to remediate any gaps has a direct result on when you may be able to receive a final report. In short, there is no easy answer for how long it will take to receive your first SOC report. Identifying a firm that you can work with effectively, beginning the pre-assessment process, and remediating gaps as quickly as possible will give you the best chance to get your report timely and meet reporting deadlines.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.