SOC Reporting | What Happens in the Second Year?
Published on by Bryan Gayhart, Griffin Dickerson, in SOC Reports, Video
Can’t watch the video? Get the transcript.
What comes after your first SOC report? Understanding the second-year process
Like any process you go through for the first time, you’re collecting new information and learning new things with your first SOC report. But what’s different in the second year?
In this episode of Ask the Experts, top SOC reporting pros Griffin Dickerson and Bryan Gayhart explore what the second year experience is usually like, and how to best prepare for the second year SOC audit.
The second year of SOC reporting is an important step in demonstrating that your controls aren’t just documented — they’re consistently operating over time.
Moving from a Type 1 to a Type 2 report
Many companies begin their SOC journey with a Type 1 report, which evaluates whether controls are properly designed and in place at a specific point in time. After that first report is issued, they often transition to a SOC Type 2 report.
A Type 2 report goes further by assessing how well those controls operate over a defined period of time, most commonly 12 months. In some cases, organizations may choose a shorter review period — such as three, six, or nine months, depending on contractual requirements or timing considerations that align better with business operations.
When to start the next SOC examination
Planning is key. The next SOC examination usually begins about three months before the reporting period ends.
During the early stages, auditors focus on foundational elements like:
- Policies and procedures that are updated annually
- Documentation related to control design
- Other baseline compliance materials
As the reporting period nears its end, the focus shifts to operational activities that occur throughout the year, including:
- User access changes (e.g., new hires and terminations)
- Software development updates
- Transactional or automated controls
Auditors collect populations of these activities and then test samples to evaluate how consistently the controls operated throughout the period.
Maintaining controls throughout the year
One of the biggest challenges organizations face after their first SOC report is keeping up with their control environment.
Once controls are documented in the initial report, management must ensure those controls continue to operate as intended. Establishing a process to track control performance, like regular check-ins with the SOC audit team or internal monitoring, helps prevent surprises when the next audit begins.
Timeline for completing the report
Although the reporting period may span several months, the audit process itself is designed to be manageable. By starting early and working methodically, organizations can spread tasks out rather than handling everything at once.
The goal is to issue the final SOC Type 2 report within about 60 days after the reporting period ends, ensuring the report remains timely and valuable to customers, stakeholders, and other report users.
Building a sustainable SOC process
Moving into the second year of SOC reporting is less about starting from scratch and more about maintaining and demonstrating consistency. With proper planning, regular communication, and strong internal tracking of controls, organizations can turn SOC compliance into a sustainable and efficient process.
Want to know more about SOC reporting?
You can watch the full series on our YouTube channel, or explore the full range of SOC reporting services Barnes Dennig provides. You can also download our free SOC Reporting Toolkit, designed to guide you through the process and prepare for a successful audit.
