Cloud Controls Matrix

  • 1.  Validity of SOC 2 report

    Posted Nov 25, 2022 03:32:00 AM
    I am reviewing a SOC 2 report of a cloud service provider. The audited period mentioned in the report is 01-APR-2021 to 31-MAR-2022. How long (period) this SOC 2 report is valid for review? Since it is nearly 8 months old, do I need to get a bridge letter from the service provider? Please clarify. Thanks.

    ------------------------------
    MANJUNATH A T
    IT COMPLIANCE AUDITOR
    APPLIED MATERIALS
    ------------------------------


  • 2.  RE: Validity of SOC 2 report

    Posted Nov 25, 2022 06:47:00 PM
    Hi,
    It depends on which report are we talking about
    SOC 2 Type 1 typically is valid for 6 months 
    SOC 2 Type 2 is valid for 12 months

    This validity is from the report date.

    For further assurance you can collect a bridge letter from the service provider.

    Regards,
    Sandeep Ganguly 





  • 3.  RE: Validity of SOC 2 report

    Posted Nov 28, 2022 04:59:00 AM

    @MANJUNATH A T. SOC 2 reports are backward-looking. They tell you the status of an organization at a point in time, against a predetermined set of criteria. They are backward-looking. As far as I know (I've looked) there is not a validity period for how long they are good. What you are willing to accept is up to your organization. As a rule of thumb, I would be suspicious of anything more than a year old.

    The further you get away from the date, the more likely things have changed. More important, is whether the report is Type 1 or Type 2. That will tell you how much data was looked and the depth of the investigation used to make the determinations. Type 1 looks at the design of the controls. Type 2 reviews at least 6 months of operational data and therefore provides a better indication of operational effectiveness (OE).

    Organizations usually begin refreshing their SOC 2 report at least a quarter before. I would ask them where they are in the re-assessment and what has changed in their environment. I would also ask the usual questions about incidents, etc. Were specific weaknesses mentioned in the existing report? Are there specific controls more important to you than others? If so, I would dig deeper into those areas.




    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 4.  RE: Validity of SOC 2 report

    Posted Nov 28, 2022 02:39:00 PM
    The report would be valid for the period indicated (as you noted above). We need to typically check if the report has an 'unqualified opinion' from the auditors. If this is not the case, you would need to explore the reasons for the same. And on the Bridge letter, yes, since the end date is a few months ago, the cloud provider would typically need to provide a Bridge letter saying that their control environments is still unchanged since 3/21/22.

    ------------------------------
    Bala Krishnan
    Sr. GRC Specialist
    SAP
    ------------------------------



  • 5.  RE: Validity of SOC 2 report

    Posted Nov 29, 2022 06:25:00 AM
    @MANJUNATH A T a slight modification. I misread the dates. My bad. I would dig into why they have not produced a more recent report. A bridge letter is a good start but I would not stop there.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------