A Type II SOC 1 (f. SSAE 16) or SOC 2 report (versus a Type I) is the most useful for a service organization to provide to a client. Most reports cover a 12 month period, but can be as short as six months. So how does a service organization decide what period under review is right for them? The best answer would be to evaluate what period would overlap the most with the majority of their client’s financial year. Because the reader of the report is generally the user (client) auditor, the report is most useful to clients when it overlaps at least six months with the client’s financial year under review.
Below are some excerpts from the AICPA’s SOC 1 guide addressing the period under review.
2.14 The user auditor evaluates whether the period covered by a given Type II report is appropriate for the user auditor’s purposes. To provide evidence in support of the user auditor’s risk assessment, the period covered by the Type II report would need to overlap (typically at least six months) the user entity’s audit period.
2.16 The service organization may consider the following examples when determining an appropriate test period for a Type II report.
- Example 1. The majority of user entities have calendar year ends. The service organization may want to provide a Type II report for the period November 1, 20X0, to October 31, 20X1, to maximize the usefulness of the report to user entities and their auditors.
- Example 2. User entities have year ends that span all months of the year. The service organization determines that issuing a report each quarter (or more often than annually) with tests of operating effectiveness that cover twelve months is most likely to maximize the usefulness of the report to user entities and their auditors.
Based on the above guidance, and our years of experience performing these examinations, Linford & Company recommends that the service organization consider the financial review period of their clients, or if needed, inquire of clients if there is a preference of the period covered by the SOC report. Completing the SOC report annually, with a continuance 12 month period being covered, allows a service organization to provide clients with a report that opines on the service organization’s controls year over year without a break in the period being covered.
For the period of time that does not overlap with a service organization’s client’s financial year, a bridge letter may be issued by the service organization saying that their controls did not change during that period, or if they did change an explanation of the changes that occurred to the controls in place.
For further information on bridge letters, please see the blog post Gap or Bridge Letters.