Audits are either done based on the status of a system or application at a specific time or done as a study over a period of time that takes into account changes and processes.
Which of the following pairs matches an audit type that is done over time, along with the minimum span of time necessary for it?
SOC Type 2 audits are conducted over a period of time to evaluate the effectiveness of controls in operation over a minimum span of six months. This contrasts with SOC Type 1 audits, which assess controls at a specific point in time.
D. SOC Type 2, six months
SOC (System and Organization Controls) reports assess the security, availability, processing integrity, confidentiality, and privacy of a system or application. SOC Type 2 reports are conducted over a period of time, evaluating how security controls function over an extended duration rather than at a single point in time. The minimum period required for a SOC Type 2 audit is typically six months, though some auditors may accept shorter periods under special circumstances.