The SOC 2 reporting process can take anywhere from 4 weeks – 18 months on the extreme ends of the spectrum (6 weeks – 3 months on average). The reason for such variance depends on the type of report (Type I vs. Type II), project complexity, firm maturity, motivation to obtain a SOC 2 report, and variations in each phase of the reporting process. Below is an overview of the process and what you can expect at each step. If you want a time estimate based on your specific requirements please contact one of our professionals.
1| Planning and Strategy
Planning and strategy are critical to setting priorities, communication, and scoping your SOC 2 report. This is where you decide on what SOC 2 trust services criteria should be in scope, what locations should be audited, the nature and extent of the system to be audited, and how you plan to track progress.
Timing: 1 – 3 weeks. This should include a few “white-boarding” sessions and time to obtain buy-in from all key stakeholders.
2| SOC 2 Audit Gap Analysis and Readiness Assessment
Most companies opt to undergo a pre-audit gap analysis. This is where a firm comes in and performs an assessment of your “as-is” environment and compares that to the SOC 2 requirements. As a result of the gap analysis, your company obtains a punch list of items that will need to be remediated for SOC 2 compliance.
Timing: 1 – 8 weeks on the low and high end. 2 – 4 weeks is average from planning to final results.
3| Remediate Identified Issues
After obtaining a gap analysis, management must remediate identified issues. Depending on the nature of the gaps, the extent to which management is willing to dedicate resources to resolve gaps, and how motivated management is to obtain the SOC 2 report, timing for this phase can vary widely.
Timing: 0 – 12 months on the low and high end. 4 to 8 weeks is average.
Insight: Successful remediation is less about technical acumen and often hinges more on solid project management. Set goals, identify milestones, and closely track each work-stream to final resolution. You may work with your audit partner to re-test issues to validate they are remediated.
4| Audit Fieldwork
When management is confident remediation is complete, audit fieldwork can begin. This is where the auditors will begin gathering and examining audit evidence for the SOC 2 report. Audit fieldwork is typically a mix of on-site and remote audit work.
Timing: 0 – 3 months on the low and high end. 2 – 4 weeks is average.
Insight: Work location (on-site or remote) is largely decided mutually between the audit firm and yourself. Some audit procedures have to be performed on-site (i.e., observation of physical or environmental security functions), but examination of evidence can be performed remotely. On-site audits can often be more efficient, but may require additional fees for travel. Remote audits may reduce distraction from business operations, but may make it difficult to communicate some of the nuances of your business.
5| Audit Report and Wrap-Up
After audit fieldwork has been completed the audit firm will begin writing the final SOC 2 report and complete the mountain of administrative tasks required to meet AICPA requirements. You will have the opportunity to review the SOC 2 report prior to final issuance.
Timing: 1 – 5 weeks on the low and high end. 2 – 4 weeks is average. This process can vary based upon the amount of review comments from internal stakeholders.
Insight: Audit firms must meet minimum professional standards as defined internally by the AICPA, PCAOB, and other governing institutions. This requires detailed documentation of audit work, archiving of audit evidence, and meeting a slew of other requirements. Audit firms must take this seriously because we are subject to peer review. Our work is audited too.
6| Maintain Your Program
SOC 2 reports are an annual requirement – so between audits you will need processes to ensure that you maintain the program you have spent so much time and effort to build.
Insight: Consider building or co-sourcing with a consulting firm to build an internal audit function. Audit your controls throughout the year.
Let’s Get Started
If you are considering a SOC 2 report contact one of our professionals to learn more about why we are a great business partner.