How to choose the timing of your SOC exam
Many organizations have questions about the timing of SOC exams. How do you select a year end? Can you skip a year between exams? Can a SOC report cover less than 12 months?
Determining the time of year you want to have your SOC audit take place — let alone the period of time that it covers — can be a bigger decision than you realize. Regardless of whether you are performing a SOC 1 exam or a SOC 2 exam, the time of year that you chose to do it can impact the successfulness and efficiency of the exam.
Selecting a “year end”
A year end is the ending reporting date for your exam. For SOC 1 and SOC 2, there are two options for year ends depending on if you are doing a type 1 or a type 2.
A type 1 is as of a point in time. This option can be any date of the year, but you will have to work with your auditor to determine what you select. Typically, this date is the last day of field work, and it states that on that date the controls were fairly represented and designed.
A type 2 report is over a period of time. For a SOC 1 it is a minimum of six months, and for a SOC 2 it is a minimum of three months. Unlike a type 1, the type 2 also tests the operating effectiveness of the controls.
Ultimately, the period of time you select is up to your needs and the needs of your clients.
Things to consider with selecting a type 2 period
Identify the busier times of the year for your business. You may not want to have an exam taking place with other large organizational initiatives. Keep in mind that during a type 2, there must be time during the period to observe and a time after to test the controls, meaning there are potentially two times of year when you will be facilitating the exam.
Also consider what your clients’ needs are. When do they need the report by, and what time frame do they need it to cover? For example, a payroll company report period tends to be associated with the calendar year to help satisfy their clients, whose financial periods end on the calendar year. That way the report can be given to their clients for their financial statement audits with in the first few months of the year.
Can you skip a year?
Technically, yes. Because an exam is of a point in time or period of time, skipping a year is allowed. However, it is not recommended. Generally, when performing an exam, it is recommended to perform them annually on the anniversary of your prior period so that there are no gaps in your exam. By skipping exams, you take the risk that your clients will start wondering what is going on during those gap months.
If your organization is undergoing large control changes or mergers/acquisitions, there are several ways to handle this. One way includes keeping the same period and having a caveat in the report for the controls that are operating differently. Another way is to have a shortened period covering the “old” controls and then begin the next exam with the “new” controls. In most options, when skipping a period, management has the opportunity to explain in their report the reasoning for the decision.
Can the SOC exam cover less than 12 months?
It can. Some companies prefer to have them every six months instead of 12. The reality is that the standards allow for different periods of time to be covered with the limits mentioned above. This again is a chance for your company to consider how your clients use the reports and how much effort goes into having shorter, more frequent audits.
Having shorter continuous periods (e.g., two six-month audits in a year) means more cost to you. Your company will have to pay for two audits and the time your employees need to gather the evidence. However, if you have a mix of clients with different period-end needs, it may be worth it. Something to consider is that some of your clients may need reporting periods covered that are different than what you have selected. By splitting it up into multiple audit periods, you can give them the correct coverage. For example, if the client has a 6/30 calendar year and you have two six-month audits, then they can receive two reports that cover their required period instead of an annual report that leaves them with a six-month gap.
More SOC audit resources
Wipfli has extensive experience performing SOC audits and can answer questions you have, from what type of exam you need to what are best practices around when and how to perform one. Click here to learn more about our SOC auditor services, or keep reading on about SOC audits:
Do I need a SOC exam? And do I need more than one?
Understanding SOC exam exceptions and management letter comments