A service organization providing a service to user entities that helps such entities to further their objectives, would often need to provide reasonable assurance over the controls at the service organization relevant to the user entities’ internal control over financial reporting (SOC 1) or that service commitments and system requirements were achieved by the service organization based on the applicable trust services criteria (SOC 2).
Reasonable assurance is obtained through the performance of a Type 2 engagement which assesses the operating effectiveness of controls at a service organization over a period of time instead of at a point in time (Type 1). Therefore, obtaining an annual Type 1 report would be of little value to a service organization, the user entities and other stake holders.
The Securities and Exchange Commission (SEC) requires that all entities that are publicly held must file annual reports that are audited and SOC 1 reporting helps organization to comply with Sarbanes–Oxley Act’s section 404, issued by the SEC, to demonstrate successful internal controls regarding financial auditing and reporting. A service organization (this includes privately held companies) may be required by their user entities and other stake holders to obtain a SOC 1 if the service organization provides a service that may impact their clients’ internal controls over financial reporting (ICFR). The service organization obtaining a Type 2 report would not be able to align the period covered by their report with the fiscal or reporting period of every user entity. However, since the period covered by the type 2 report would need to overlap a substantial portion of the period covered by a user entity’s financial statements being audited and because of the aforementioned annual reporting requirements, a service organization would typically get a SOC 2 Type 2 report every 12 months since this is most likely to maximize the usefulness of the report to stake holders, the user entities and their auditors and provide continuous coverage year over year.
“Regardless of the specific needs or reporting cadence the aim is to provide SOC reports with sufficient frequency and covering sufficient periods to provide continuous coverage and assurance to meet the needs of internal and external stakeholders.”
Currently a SOC 2 isn’t required by law and as such there are no mandated requirements to obtain a SOC 2 within a predefined period. Also, SOC 2 reports do not expire, however reports that are older than a year are often considered “stale”, providing little to no value to user entities and their auditors. Generally, service organizations will obtain a SOC 2 Type 2 report annually since similarly to a SOC 1 Type 2 report, this reporting cadence provides assurance over the operating effectiveness of controls over a longer period of time and maximizes the usefulness of the report to not only the service organization but also the user entities and their auditors.
Continuous Coverage While service organizations typically obtain a SOC 1 or SOC 2 report on an annual cadence, a service organization may elect to obtain a SOC 1 Type 2 or SOC 2 Type 2 report more frequently (e.g., every six (6) months) depending on their own needs, their client’s preferences, any ongoing concerns or when significant changes are made that impacts their control environment. A service organization may even elect to obtain a report covering a shorter period (three (3) months) based on specific needs however periods that are too short provides less assurance over the operating effectiveness of controls at the service organization. Regardless of the specific needs or reporting cadence the aim is to provide SOC reports with sufficient frequency and covering sufficient periods to provide continuous coverage and assurance to meet the needs of internal and external stakeholders.
Please reach out if you would like to learn more about how Audit Peak can assist you with your SOC 1 or SOC 2 compliance or for a free consultation. WE WILL TAKE YOU TO THEPEAK.