Information Security

 View Only
  • 1.  SOC2 type 2: 12 months vs less than 12 months

    Posted 10-25-2024 10:15 AM

    Since operating effectiveness is being tested with SOC2 type 2s, what is the general consensus when a vendor provides one 3, 6 or 9 months vs 12 months and they provide bridge letters for reports other than 12 months?

    I've always been under the impression that bridge letters are not used for the purpose of replacing actual testing. Meaning, a vendor shouldn't be providing a report with a testing period January - June every year and then provide a bridge letter for July - December. I suppose the vendor can, but this isn't acceptable?

    Is it acceptable to accept a report other than a 12 month reporting period even though the operating effectiveness of those controls are untested for the other time of the year?



  • 2.  RE: SOC2 type 2: 12 months vs less than 12 months

    Posted 10-25-2024 11:00 AM

    Opinion:

    That depends on your risk appetite and your policies.

    That said, unless your risk program has a heck of a lot more pull than any one I've ever been a part of, I don't know that there are many customers who can require a vendor to pay for a 12 month SOC review and have the vendor volunteer to foot the extra expense.

    There are companies out there that do a SOC2 Type 1, or other SOC reports that are from one day of monitoring. Never mind others that don't do a full SOC audit in the first place.  Is that a deal breaker? That depends on your company's risk appetite.

    I have yet to see an auditor kick back a finding for the organization that the third party didn't have a long enough audit for their SOC. 

    As far as bridge letters, they are what they are, whether they cover one month or a year. I've seen both, and neither have raised eyebrows. 



    ------------------------------
    Dave Howe
    Chief Information Officer
    Franklin First Federal Credit Union
    ------------------------------



  • 3.  RE: SOC2 type 2: 12 months vs less than 12 months

    This message was posted by a user wishing to remain anonymous
    Posted 10-25-2024 03:27 PM
    This message was posted by a user wishing to remain anonymous

    When I had to do my annual reporting if a vendor's SOC 2 report didn't use the same time period as mine, I included the report of the SOC timeframe. I never asked for a bridge letter. When I was questioned, my answer was that they are doing the report annually as required.

    The only time I saw a bridge letter was when a vendor didn't have the report done on time. When that happened the conversation changed to why and what was the delay and it was flagged as an issue.




  • 4.  RE: SOC2 type 2: 12 months vs less than 12 months

    This message was posted by a user wishing to remain anonymous
    Posted 10-25-2024 05:07 PM
    This message was posted by a user wishing to remain anonymous

    I don't know how others feel about this. True story I had a vendor this year who gave me a 3 month SOC2 report from 2022 and tried to give me I think it was 4 subsequent bridge letters. This was not approved.




  • 5.  RE: SOC2 type 2: 12 months vs less than 12 months

    Posted 10-26-2024 09:02 AM

    We request 12 months coverage of testing in SOC reports and if less than 12 months is covered in the SOC report, we review the report and also document our internal controls relating to the risk. A bridge letter is requested if the SOC 1 Type 2 report does not go until our year end (12/31), and we typically see 3 month bridge letters from the suppliers identifying if there have been changes in their control environment.