SOC reports [SOC 1 (formerly SSAE 16) and SOC 2] do not technically expire, however, users of the report may choose not to rely on the report based on the type (Type I vs. Type II) of report and the amount of time that has passed since the period covered by the report. So why a Type II report and why annually?
Each SOC report can be either a Type I or Type II report. A Type I SOC report is as of a point in time and a Type II SOC report covers a period of time. Because a Type I report is as of a point in time the value of the report is somewhat limited. Therefore, conducting an annual Type I SOC report has little to no merit to the user organization. Type II reports are more valuable to the user organization because they validate the operating effectiveness of controls at the service organization throughout the entire period.
Type II SOC reports generally cover the design and effectiveness of controls for a twelve month period of activity with continuous coverage from year to year to meet user requirements from a financial reporting or governance perspective. In some cases, a Type II SOC report may cover a shorter period of time, such as six months, if the system/service has not been in operation for a full year, or if annual reporting is insufficient to meet user needs. At Linford & Company, we generally only perform a report shorter than twelve months when it is the service organization’s first year receiving the report. AICPA guidance recommends that a report period cover a minimum of six months. Guidance also indicates that a Type II report which covers a period of less than six months is unlikely to be useful to user entities and their auditors.
A service organization should get a SOC report each year to ensure continuous coverage by the reports year over year. Having a break in coverage will only raise questions about what happened to the controls during the period that was not covered by the reports.
A service organization cannot always match up the period covered by the report with the calendar or fiscal period of every user organization. For the period of time that is not covered, management of the service organization may issue a bridge letter stating that no changes to the control environment have occurred since the date covered by the report.
At Linford & Company, we feel that after the initial SOC report, the best option for a service organization is to get an annual Type II SOC report.