The Difference Between SOC 1 Type I and Type II: The Audit Period
While SOC 1 Type I audit engagements evaluate a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) at a specific point in time, a SOC 1 Type II audit evaluates a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) over a period of time, usually between six and twelve months. How do go about choosing your audit period? There are a few things you need to know.
Choosing Your Audit Period for SOC 1 Type II Engagements
One of the first steps that organization’s must take when pursuing SOC 1 Type II compliance is choosing their audit period. When choosing your audit period for a SOC 1 Type II audit, you’ll pick a period of time from the past as auditors cannot make statements about what would happen in the future. Once you’ve determined the length of your audit period, your auditor will review the effectiveness of your organization’s internal controls during that time period.
To find out what audit period works best for your organization’s SOC 1 Type II compliance efforts, contact us today.
More SOC 1 Resources
One of the things that you have to do to prepare for a SOC 1 Type II audit is to define what the audit period is going to be. These reports are based on the AICPA’s standards, and just like in SSAE 18, the audit period will be a period of time that’s in the past. We’ll be looking back at what did happen during that period; we can’t make any forward statements about what would happen in the future. An audit period is typically six months or twelve months, and the auditor issues an opinion and performs testing on controls that were in place over a period of time. So, get with your auditor at KirkpatrickPrice and talk about what your audit period should be and what would be most appropriate for your situation.