Audit Period

The audit period is the window of time covered by a SOC 2 Type 2 examination. The auditor tests whether controls operated effectively across this entire window, typically three, six, nine, or twelve months. The period is selected by the service organization in coordination with the auditor and the customers requesting the report. A three-month period is the shortest accepted by most enterprise buyers and is common for first-time Type 2 reports. Twelve months is the standard for mature compliance programs and provides the strongest assurance. The audit period appears prominently on the cover of the attestation report so readers understand the scope of evidence the auditor reviewed. SOC 2 Type 1 reports do not have an audit period because they evaluate control design at a single point in time rather than effectiveness over time. Choosing the right audit period balances cost, time-to-report, and customer expectations.