Opinion:
That depends on your risk appetite and your policies.
That said, unless your risk program has a heck of a lot more pull than any one I've ever been a part of, I don't know that there are many customers who can require a vendor to pay for a 12 month SOC review and have the vendor volunteer to foot the extra expense.
There are companies out there that do a SOC2 Type 1, or other SOC reports that are from one day of monitoring. Never mind others that don't do a full SOC audit in the first place. Is that a deal breaker? That depends on your company's risk appetite.
I have yet to see an auditor kick back a finding for the organization that the third party didn't have a long enough audit for their SOC.
As far as bridge letters, they are what they are, whether they cover one month or a year. I've seen both, and neither have raised eyebrows.
------------------------------
Dave Howe
Chief Information Officer
Franklin First Federal Credit Union
------------------------------
Original Message:
Sent: 10-25-2024 10:15 AM
From: Paul Kim
Subject: SOC2 type 2: 12 months vs less than 12 months
Since operating effectiveness is being tested with SOC2 type 2s, what is the general consensus when a vendor provides one 3, 6 or 9 months vs 12 months and they provide bridge letters for reports other than 12 months?
I've always been under the impression that bridge letters are not used for the purpose of replacing actual testing. Meaning, a vendor shouldn't be providing a report with a testing period January - June every year and then provide a bridge letter for July - December. I suppose the vendor can, but this isn't acceptable?
Is it acceptable to accept a report other than a 12 month reporting period even though the operating effectiveness of those controls are untested for the other time of the year?