Skip to main content
How to choose a monitoring period for SOC 2 Type 2

Tips and tricks for choosing a SOC 2 monitoring period that best aligns with your Type 2 compliance goals

Cayla Marshall avatar
Written by Cayla Marshall
Updated over 7 months ago

What is a monitoring period?

While a SOC 2 Type 1 evaluates the design of your controls at a particular point in time, a Type 2 evaluates the design and effectiveness of your controls over a period of time. This period is time is referred to as a monitoring period, audit period, review period, observation window, or similar.

Therefore, if you are preparing for a SOC 2 Type 2 audit, you’ll need to determine the start and end dates for your chosen monitoring period. This chosen period will provide the parameters for your evidence collection and your auditors will only evaluate evidence from this particular period.

How do I choose my monitoring period?

Ultimately, monitoring period start and end dates are up to your organization. However, there are a few aspects to consider to choose a monitoring period that best aligns with your compliance goals.

Monitoring Period Duration

Generally, Type 2 monitoring periods last between 3-12 months. The ultimate goal is to reach an annual audit cycle with continuous 12-month monitoring periods, but it’s not uncommon for an organization to choose a shorter monitoring period for their first Type 2 audit.

Possible reasons to include a shorter monitoring period include:

  • Customer demand: A customer/prospect may request that your organization achieves a Type 2 sooner than 12 months after issuance of your Type 1.

  • Leadership/organization goals: Internal stakeholders are putting emphasis on achieving a SOC 2 Type 2 report in sooner than 12 months.

  • Gap in control operation: If there have been significant control operation errors, you may want to adjust your monitoring period to exclude the mistake from your final report. Examples of control errors would be if you know that access termination for employees leaving the company didn’t occur, if software, application, and/or infrastructure changes were implemented without approval for a certain period of time, or similar.

Overall, having a longer monitoring period is considered best practice as it provides more trust in your control operation. In other words, it’s more challenging to operate controls over a period of 12 months as opposed to 3 months, so a longer period sets a higher standard of achievement. However, it’s completely valid to choose a shorter monitoring period for your initial Type 2 as your organization works its way up to an annual cycle!

No matter your chosen duration, it’s important to note that your Type 1 report is considered valid for one year after its issuance, so you will still be considered SOC 2 compliant while you work toward your Type 2.

Start Date

The most important aspect in choosing a monitoring period start date is ensuring your controls are operating as intended from that point. It’s common to choose the day after the date printed on your SOC 2 Type 1 report as the start date for your Type 2 monitoring period, but this doesn’t have to be the case. For example, if you know your controls were in place and operating two months before you actually went through your SOC 2 Type 1 audit, it would be appropriate to start your monitoring period at the point where you are confident your controls were operating effectively, rather than the date on your Type 1 report.

You’ll want to consider the aspects listed above and remember that, generally, longer periods provide more trust in your organization’s compliance program.

End Date

You’ll likely want your monitoring period end date to align with your future audit kickoff date. At Strike Graph, we recommend at least a week or two between your monitoring period end date and audit kickoff. This suggested buffer allows for Population evidence items to be uploaded after the monitoring period concludes, but prior to the audit commencing.

Annual Cadence

Eventually, your organization will likely settle into a 12-month monitoring period and be audited annually. Your monitoring period is ultimately up to your organization's discretion, but it can be helpful to keep an annual cadence in mind when scheduling your first audit, as your audit will theoretically occur at the same time each year.

Therefore, it is advisable to avoid scheduling the end of your monitoring period close to holidays or during times when you know a lot employees will be out of office.

Did this answer your question?