SOC audit timing: When to schedule your SOC 1 or SOC 2 exam
If your company uses SOC 1 and SOC 2 reports to build trust with clients, the timing of your audit should be a strategic decision. Buyers expect continuous coverage. Getting the timing right is an important step to meeting stakeholder expectations.
Organizations need to determine when to conduct a SOC audit and the time period it covers. Both can be bigger decisions than you realize. SOC exams need to align with business needs and reporting cycles, in addition to SOC 2 compliance requirements. Internal changes, such as adopting new tech or going through M&A, could also affect the SOC reporting schedule for your controlled environment.
Let’s dive into frequently asked questions about how to time a SOC audit, such as:
- How do you select a year end for SOC reporting?
- Can you skip a year between SOC exams?
- Can a SOC report cover less than 12 months?
How do you select a year end for SOC reporting?
When it comes to SOC compliance, “year-end” refers to the end date of the reporting period for your exam. The timing will depend on whether you’re preparing a SOC 1 or SOC 2 report — and whether you’re pursuing a SOC Type 1 or SOC Type 2 report.
- A SOC 1 Type 1 report covers a singular point in time, which can be any date of the year. Companies typically choose the last day of fieldwork, but you should work with your auditor to confirm the date. A SOC 1 Type 1 reports describe the controls and practices that were in place on that date.
- A SOC 1 Type 2 report covers a period of time — typically a minimum of six months. These reports often align with fiscal or calendar year-ends to support client reporting needs.
- A SOC 2 Type 2 report also covers a period of time, with a minimum coverage of three months. Unlike a Type 1 report, the Type 2 report also tests the operating effectiveness of the controls over the selected period.
Ultimately, the timing you select is up to your needs — and the needs of your clients.
Timing considerations for a SOC 2 Type 2 period
What are the busiest times of year for your organization? You may not want an exam taking place alongside other large organizational initiatives. Keep in mind that during a SOC Type 2 audit, you need time to observe internal controls and time to test the controls. That means the exam could be facilitated two separate times in a year.
Also consider your clients’ needs. For example, when do they need the report? What time frame do they need to cover? The SOC reporting period for a payroll company might align with the calendar year to support clients whose financial periods end on the calendar year. That way, clients can include your SOC report with their financial statement audits in the first few months of the year.
Can you skip a year between SOC exams?
While skipping a year between SOC exams is technically allowed, doing so may raise questions about the continuity of your SOC 2 audit coverage. Clients expect uninterrupted SOC 2 compliance, especially if they work in regulated industries or have vendor risk management programs.
Generally, it is recommended to perform SOC exams annually (based on the anniversary of your prior period) to avoid gaps. If your organization is undergoing large control changes around that time, such as a merger or acquisition, there are several ways to handle this. You could keep the same period with a caveat in the SOC report that controls now operate differently. Or your SOC exam could cover shortened periods. Report on the “old” controls until you make the switch, then begin the next exam with the “new” controls.
In most cases, management will have an opportunity to explain the timing decision in your SOC report.
Can a SOC exam cover less than 12 months?
Yes — a SOC exam can cover less than 12 months. In fact, some companies prefer to have SOC exams every six months instead of 12.
The standards allow for different timeframes to be covered, as long as the minimum periods are met. So, you have some flexibility to consider how clients use the SOC report — and how much effort might go into shorter, more frequent audits.
Having shorter continuous SOC exam periods (e.g., two six-month audits in a year) could mean higher costs. You have to pay for two audits — and double the time for employees to gather evidence. However, if you have a mix of clients with different period-end needs, it may be worth it.
If clients need different reporting periods than you selected, splitting your SOC audit into multiple periods can help you deliver the correct coverage. For example, if the client has a 6/30 calendar year and you conduct two six-month SOC audits, they can receive two reports covering their required period — instead of an annual report with a six-month gap.
SOC audit resources
A SOC 2 compliance checklist can help you evaluate key factors, from the type and timing of your exam to control readiness. Whether you’re preparing a SOC 2 audit for the first time or refining your cadence, the right planning tools can make the process smoother.
The right partner can pave the way to a successful SOC audit, too. Wipfli has extensive experience performing SOC audits and can help you align your audit schedule with your operational goals and SOC 2 compliance requirements.
Learn more about our SOC auditor services, or keep reading about SOC audits:
