Q: What should the scope period be for my SOC 2 Type 2 report?
A: MJD Answer
Before I jump into the scope period for a SOC 2 Type 2, I wanted to quickly note the difference between a SOC 2 Type 1 report and a SOC 2 Type 2 report.
- Type 1: Reports on controls in place on a specific day (i.e., as of June 1st).
- Type 2: Reports on controls over a period of time (i.e., June 1st to December 31st).
Both reports follow the same standard and same level of control implementation - so this shouldn’t be viewed as “level 1” and “level 2,” but a type 2 report provides additional assurance since the controls are demonstrated over a longer period of time. When you hear people ask for your SOC 2 report - they are generally requesting a type 2.
So, back to the question.
Like anything SOC 2 related, there are no requirements for the length of the period you select. It’s a decision made by the auditee based on the needs of their specific situation (or, in other words, what will make your customers happy). In practice, you usually see periods of three to twelve months, and some of the things we suggest our clients evaluate include:
- When is the report needed? If you want to start a period today, obviously, a 12-month report will take longer to issue than a three-month report.
- Are there any contractual requirements that define a desired scope period? We have seen plenty of agreements that require annual 12-month reports or a specified minimum length for a first-time audit.
- Am I able to demonstrate my controls operated during a shortened window? When a control doesn’t have to operate, it’s not an exception, but describing the lack of operation does create noise in the report that could introduce questions.
- If you have completed a SOC 2 Report, will customers question a gap in your report period? Or, in other words, will customers wonder what goes on the other nine months if you are producing three-month reports every year?
Most of the time, there’s not a specific commitment which leaves room for judgment. What we recommend is to consider your most important users and evaluate the best way to prove you continue to deserve their trust, as the absolute last thing you want to do is produce a report that will be ignored. And if you feel comfortable in the relationship, have a conversation with them and obtain feedback. They might ask you, “what’s a scope period” or they may really appreciate the transparency and that you valued their opinion enough to ask.
We work with many companies that are new to SOC 2 and have a recent commitment related to a new opportunity which leads to a lot of three-month reports. However, what we expect to see (and is viewed as the best practice) is that those first-time reports would be followed up with an annual 12-month report to demonstrate an ongoing commitment to operating your security program. However, as stated earlier, the auditor has to be on board with your plans, but it is not their decision.
The scope period for a SOC 2 report will depend on the specific needs and circumstances of your organization. Typically, the scope period for a SOC 2 report covers a period of at least six months, but it can be longer depending on the business requirements and the period deemed necessary to provide reasonable assurance that the relevant controls are operating effectively.
It's important to note that the scope of the SOC 2 report should be defined based on the system or service being evaluated, and not just the organization as a whole. The scope should be clearly defined in the engagement letter between the service organization and the auditing firm, and should include the specific systems, processes, and controls that are being evaluated.
It's also important to consider any regulatory or contractual requirements that may impact the scope period. For example, if your organization is subject to HIPAA or GDPR regulations, you may need to align your SOC 2 report scope period with the relevant reporting periods for those regulations.
The scope period for your SOC 2 report should be carefully considered and aligned with the needs of your organization and any relevant regulatory or contractual requirements.
During the audit process, we might identify gaps or control exceptions, but our role encompasses much more than that.
There is nuance to this question, and other well-meaning and very smart people that I respect might give a different answer. But within the volumes of literature that set the standards, the true answer is this: There are absolutely no control requirements for SOC 2 reports.
Echelon Risk + Cyber, in this article, breaks down everything you need to know about the ISO 27001: 2022 updates.