“How much time do you have?”
While definitely an interesting question to hear when it comes to planning the extent of a fun trip abroad or even the latest office gossip, the same excitement in that question somehow doesn’t translate when it’s asked in an auditing context instead.
That’s probably because you believe that investing in a compliance audit can really complicate the scheduling around all your other deadlines, and obligations you have.
Yes, the “time” issue can often rank among the biggest variables to nail down before actually getting started with a SOC examination—your timeline can affect your personnel and their competing priorities.
As SOC auditors ourselves, we are well-versed in fitting these audits to best serve our clients, and we want to help you understand all your choices as you head into your own process while avoiding the common pitfalls.
In our experience, it helps tremendously to be realistic about the internal time commitment so that going in, everyone involved knows their role in the different milestones of an audit. To help you with that, we’re going to deconstruct the typical timeline of a SOC audit and exactly what goes on during each step of said process–including rough timestamps for each.
Knowing all that, you’ll be able to set expectations within your organization and with your service auditors regarding exactly what effort will be needed and when. That way, you’ll minimize the inconvenience to everyone during your examination and streamline your process.
What is the Typical Timeline for a SOC Examination?
We’ll be direct about this--here are several possible scenarios/choices you could make for your organization regarding your SOC report, plus how that affects time necessary for the effort:
If you’re looking to sweep all the way through from a readiness assessment, Type 1, and Type 2 examination, it usually takes anywhere from 12 to 15 months of calendar time. (From our perspective, this is usually the route taken by an organization just getting started in compliance or for a new service or system that has yet to be evaluated.)
However, if you're simply repeating the same effort that was done in the SOC audit you completed prior, your next Type 1 SOC audit should only take about two total calendar months and your Type 2 would take about six total calendar months.
Again, these are just typical estimates and are not set in stone in every case. In our history, there have certainly been instances where Schellman teams were able to work closely with our clients to expedite the process so that it didn’t necessarily take the estimated 12 to 15 months to successfully complete the Readiness Assessment to Type 2 SOC journey. When working with your own assessor, we recommend using the initial planning period to see what efficiencies you can find together for similar results.
Even still, because every examination is dependent on many different factors unique to each organization, if you are just getting started with SOC reporting the best advice we can give you going in would be to consider your Type 2 SOC examination journey using that 12–15-month timeline.
What are the Phases of a SOC Audit?
Within these rough timelines though, there are four distinct phases, each of which has their place within the process and requires a different level of effort for both you and your auditors. The details below should help you further understand where a heavier lift will be necessary from you and your organization.
Phase 1: Planning and Preparation (2-5 Business Days)
As you may have already guessed, this is the most important step within any SOC examination.
- This starting point is where you will ensure alignment of your controls and evidence with the agreed-upon terms and expectations set by your customers—the surest way to a successful audit.
- Not only that, this phase will allow for any refinement—not only to timelines, but also to scope or deliverables, among other factors. Within this period, you’ll make any adjustments you and your auditors find need to be made in order to minimize delay or other adverse effect to the overall timeline.
During this time, you may find that your auditors submit more questionnaires or ask for more information, but that’s just their attempt to become more familiar with your environment and systems. They will have the same goals as you during this phase of your SOC audit—to streamline your process and ensure a timely deliverable. Regardless of assessment or audit, this phase typically lasts 2 to 5 business days.
Phase 2: Evidence Request & Collection (3-8 Weeks)
After everything has been laid out for moving forward, your auditors will now begin their actual examination process by determining what artifacts they’ll need to complete their work.
Once they’ve done that, they’ll pass the buck to you—with their list in hand, you’ll then be allowed plenty of time to locate, source, catalogue and submit the necessary evidence as requested. For Readiness Assessments, this effort can take 3 to 5 weeks, and for Type 1 and Type 2 examinations, 5 to 7 weeks is commonplace.
Phase 3: Testing (1-4 Weeks)
Here it is—the crux of it all. You’ll come to know this as the testing phase, sometimes referred to as the fieldwork stage.
During this part of the process, now having planned everything out and collected the necessary evidence, your auditors will then complete their reviews and inspections—this will include:
- Any necessary follow up conversations with evidence owners
- The cataloguing and documenting of the results of the testing of your controls
Typically, testing takes 1-2 weeks for Readiness Assessments, 2 weeks for Type 1 examinations, and 2-4 weeks for Type 2 examinations.
Phase 4: Reporting (1 Day - 3 Weeks)
Finally, we've reached the end.
The final stage of a SOC examination is the one during which the fruits of your labor over the past three stages—planning, collection, testing—will finally manifest in the form of a deliverable. This is what you’ll eventually be able to provide to interested parties as assurance of your controls.
Please note that this phase remains very collaborative, at least from the Schellman perspective. Your audit team will provide said report to you first within a draft stage, during which you’ll be able to make any changes before finally approving the contents. They then will formalize and issue said approved document, and voila! You will have completed your SOC audit process.
For Readiness Assessments, the reporting phase can be as little as a day to a week, and both Type 1 and Type 2 examinations commonly require 2 to 3 calendar weeks to allow for the draft reporting, client review, and report finalization.
Next Steps for your SOC Examination
At this point, we’ve reiterated in detail what you already knew—a SOC audit takes time, no matter which way you spin it.
There are factors that can affect how much, including your chosen Report Type, your own deadlines for turnaround, and your budget, but one thing you can count on across the board is the progression of these four phases. Each will require a different level of effort from you, and with this information now in hand, hopefully, you’ll be better positioned to map out what’ll be required from your internal team and when.
Of course, you may be operating in some extenuating circumstances where time and your SOC report are concerned, and if that’s the case—as we said before—we are happy to speak with you about how we can find that wiggle room to ensure you get what you need in the time you have.
Otherwise, to continue painting that picture of what your SOC audit could look like in future, check out more information we’ve published to help you with some of those decisions you’ll need to make:
About the AuthorMore Content by Jordan Hicks