Audit reports are conducted using data from the prior 12-month period, as an auditor has to have, at minimum, six months of data to be able to provide an opinion.
For example, CenturyLink’s 2015 SOC 2 Report was conducted during the period of October 1, 2014 to September 30, 2015 and was available for distribution mid-November, taking into account audit draft time. CenturyLink followed up the SOC 2 report with a bridge letter, which was issued mid-January 2016 and covered October 1, 2015 through December 31, 2015. CenturyLink does not issue ad-hoc bridge letters at any other time. In order to provide this level of service, CenturyLink requires a mini-audit for each of the controls within the report before providing the findings to upper management for sign-off.
CenturyLink’s compliance organization understands that customers require “up-to-date” information, however, data is required in order to audit the controls. Considering that data materializes over a given time period, ample time has to have passed in order to fully complete an audit report. Consequently, CenturyLink’s SOC 2 report dated September 30, 2015 is considered current by the standard under AICPA.
If a customer has audit rights included in their Master Service Agreement (MSA), they can exercise those rights and audit CenturyLink to ensure that the controls impacting them are operating effectively as per the last report. The audit for the 2016 SOC report will not begin until May 2016 and will end September 2016.