Unlike SOC Type 1 reports, which are based on a specific point in time, SOC Type 2 reports are done over a period of time. What is the minimum span of time for a SOC Type 2 report?
Unlike SOC Type 1 reports, which are based on a specific point in time, SOC Type 2 reports are done over a period of time. What is the minimum span of time for a SOC Type 2 report?
SOC Type 2 reports are evaluations of an organization's internal controls over a period of time, and the minimum span of time for such an evaluation is six months. This is in contrast to SOC Type 1 reports, which assess the effectiveness of controls at a specific point in time. Therefore, a SOC Type 2 report must cover at least six consecutive months.
They need to fix the language on these. SOC 1, SOC 2 Type 1 and Type 2 etc. Use the correct format or it makes studying more difficult.
6 months
C. One year
It is 1 year. Just google it
12 months is a long time without any control changes.
Although the AICPA does not mandate a strict minimum for the coverage period of a SOC 2 Type 2 report, the generally accepted industry practice (and what most clients and auditors expect) is a six-month coverage period at a minimum. This is because a Type 2 report is meant to verify the effectiveness of controls over time, rather than just at a single point.