Ask a Question

SOC 2 type 2 audit observation period

What is the least and maximum range for an observation period for my SOC 2 type 2 audit?

compliance icon GRC Q&A
All Replies

Viewing 1 reply thread

  • The observation range is 3-6 months. Typically closer to 3 months

  • The minimum duration for an observation period is 3 months and maximum is for 12 months. That said, we recommend going for a window of at least 6 months if you are a small organization so that the auditors will be able to test for controls around new hire access provisioning, access terminations. For a small size company who do not have a high velocity of hiring or terminations, the auditor will not be able to effectively test these controls. Within the report the auditor will mark those controls as “Not tested – as no new hires occured within the observation period.” This will likely be the same for Disaster Recovery testing, Incident response testing, penetration testing and therefore will not be enough to provide assurance to your customers.

Viewing 1 reply thread

Join the conversation