BLOG

by Alan DeVaughan

One of the key factors of a SOC 2 Type 2 report is the timeframe covered by the report (“reporting period”).  As a refresher, a Type 2 report covers a period of time whereas a Type 1 report is as of a single point in time known as the effective date.  Most SOC 2 Type 2 reports cover a 12-month period but many organizations opt for a shorter reporting period for their first SOC 2 report.  Organizations want to get their first Type 2 report issued as quickly as possible to provide to their clients, or as a marketing tool for potential clients.  However, a shorter reporting period comes with some potential risks.

A Type 2 report is an auditor’s opinion on whether the organization’s controls were suitably designed and operated effectively to meet the service commitments and system requirements contained within the system description.  The expectation is every control operated, or had the ability to operate within the reporting period.  If you have a shorter reporting period, there is a greater risk that some of the controls won’t operate due to timing.  An example would be an annual control (e.g., policy review and update) which didn’t occur within the reporting period.

You will see Type 2 reporting periods as short as three months (90 days).  We strongly recommend against doing this as it can be very challenging to ensure every control operated within that short period.  Many organizations choose to do a readiness assessment to prepare for a Type 1 or Type 2 examination.  If you pick a shorter reporting period, you run the risk of having to perform some of your controls more frequently than normal to ensure they operate during the Type 2 period.  If the controls don’t operate during the period, you run the risk of having exceptions in the reporting an potentially a qualified opinion.

By choosing an initial Type 2 period of six months or longer, your organization is less likely to have to explain why controls didn’t operate or less likely to create extra work for your control owners.  Don’t fall into the trap of rushing your first Type 2 report without careful consideration of potential risks.  At Meditology, we have years of experience helping organizations prepare for and complete SOC 2 examinations. Our tailored SOC 2 approach provides readiness assessments and remediation guidance to prepare you for the formal SOC 2 examination. We can customize your SOC 2 reporting period to match your organization’s goals without exceeding your capabilities.

About the Author

Alan DeVaughan | Senior Manager, IT Risk Management

Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading the firm's SOC 2 service line, he serves as a consultant team leader focused on advising healthcare clients of varying sizes and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries.