How Long Does It Take to Complete a SOC 2 Audit?
Originally published by A-LIGN here.
Written by Stephanie Oyler, Vice President of Attestation Services, A-LIGN.
A SOC 2 report is a third-party validation that attests to an organization’s ability to protect data and information. It’s widely accepted across industries and provides a singular asset that can be used in the due diligence process with multiple prospects and customers — replacing the need to undergo a custom cybersecurity audit with each new customer.
To obtain a SOC 2 report, a company must submit to an audit whereby assessors evaluate the internal controls used to secure information, along with the systems, technology, and staff roles within the organization. Although some organizations tout they can complete this process in two weeks, experienced CPAs repeatedly declare that 14 days is simply not enough time to properly and thoroughly complete all aspects of the SOC 2 audit process.
In this blog, we’ll review each step of the SOC 2 audit process and explain how long each aspect of the audit process takes. This piece is meant to serve as a general guideline, as audit timelines can vary significantly based on the size of a company and the complexity of its environment and services.
Step 1: Find the Right Partner and Team
The first step toward completing a SOC 2 audit is to engage with an audit partner. It’s important to note that SOC 2 audits are regulated by the AICPA and reports can only be generated by an external auditor from a licensed CPA firm. Once you engage with a partner, there will be some preliminary discussions to define the scope of the project and sign a contract.
If this is your first time pursuing a SOC 2 report, we highly recommend completing a SOC 2 readiness assessment to examine any gaps in controls or processes prior to an official audit. This can help you save time (and money) before undergoing the bulk of the SOC 2 audit process.
Once you’re ready to officially proceed, contracts will be signed and the official engagement will begin. At that point you will be introduced to your SOC audit team. This typically consists of a senior manager, manager, and auditor.
Senior managers and managers act as primary points of contact during preliminary discussions. Auditors take over as the point person when it’s time for walkthroughs, testing, and evidence review. All three of these roles work together throughout the entire audit to ensure you are supported and informed every step of the way.
Step 2: Information Requests
Estimated Timeline: 2-3 Business Days
First your audit team will generate an Information Request List (IRL) for your organization. This list of essential information is based on:
- The prior year’s report (if you have completed the SOC 2 process before)
- The scope
- The trust services criteria
- Other factors determined during the scoping phase (ex. new technology, locations, third-party services being leveraged, cloud hosting services, etc.)
After the IRL has been published, there will be a call with the SOC audit team to re-confirm the timing and scope of the project.
Step 3: Evidence Collection for a SOC 2 Audit
Estimated Timeline: Varies
Depending on the scope of the audit, the time it takes for evidence collection can vary. To expedite the process, clients can use automated evidence collection (AEC). Evidence collection can be a time-intensive process. Many experts recommend using compliance software tools to help reduce time and make the process more efficient.
If the need for a SOC 2 report is urgent, the collection period can be shortened. If you anticipate this will be the case for your company, it’s important to be prepared. Consider gathering essential materials prior to your kick-off call with your audit partner so everything is organized in one place. We also recommend you make sure you have staff resources assigned to assist with the SOC 2 process ahead of time, so you can reduce the risk of other internal priorities cutting into your SOC 2 efforts.
Step 4: Fieldwork
Estimated Timeline: 2-6 Weeks
Once evidence collection is complete, fieldwork (formal walkthroughs of your environment) will officially begin. The goal of this phase is to gain an in-depth understanding of your organization’s controls, processes, and procedures related to people and technology. The length of fieldwork will vary depending on the scope, locations, applications, and trust criteria. Generally, you can expect this phase of the SOC 2 audit process to last anywhere between two to six weeks.
Step 5: The SOC 2 Report
Estimated Timeline: 3 Weeks
After completing the walkthroughs and testing, the SOC audit team will generate a SOC 2 report for your company. The SOC 2 report comes in two parts:
- Draft: You’ll receive a draft report within three weeks of completing the fieldwork, sometimes earlier depending on deadlines and the complexity of the scope. During this draft report phase, you’ll have the opportunity to review the assertion, opinion, system description, and testing of the controls. If necessary, you can provide feedback or ask questions of the audit team. Once the draft report is approved internally, you’ll sign a management representation letter and notify your SOC 2 team that they can proceed with the final report.
- Final Report: One to two weeks after the draft has been approved, you’ll receive a final report with any updates or clarifications requested in the draft phase.
About the Author
Stephanie Oyler is the Vice President of Attestation Services at A-LIGN focused on overseeing a variation of many assessments within the SOC practice. Stephanie’s responsibilities include managing key service delivery leadership teams, maintaining auditing standards and methodologies, and analyzing business unit metrics. Stephanie has spent several years at A-LIGN in service delivery roles from auditing and managing client engagements to overseeing audit teams and providing quality reviews of reports. Prior to joining A-LIGN, Stephanie worked for CBIZ, the tenth largest accounting firm in the U.S., providing auditing services in the financial accounting spectrum for various industries including automobile, hospitality, not-for-profit, real estate, and cloud architecture. Stephanie graduated from the University of South Florida with a bachelor’s degree of Science in Accounting. During her time at the University of South Florida, Stephanie was an active member of Beta Alpha Psi, an international honor society for Accounting, Finance, and Information Systems students and professionals.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.