How often do I need to renew my SOC 2 Audit?

  • Updated

SOC 2 is not a mandatory regulation, but you may want to pursue a SOC 2 report if you intend to do business with large, US-based enterprise companies. Though there is no mandatory timeframe to renew, most companies complete a SOC 2 audit on an annual (12 months) or semi-annual (6 months) basis.

If your company decides to conduct Audits within a 12 month period, you may experience a gap in report coverage if your audit dates do not align with your fiscal year. In such scenario's, you may use a Bridge letter (or gap letter) to vouch for your credentials between an expired SOC 2 report and the time it takes to obtain a new one. Though SOC 2 reports do not necessarily expire, most prospects or partners do not accept a SOC 2 report if it is older than a year.

Should you require a bridge letter, please refer to this article: Frequently Asked Questions: SOC 2 Bridge Letter