Think of the audit period as the time duration over which the policies/procedures/IT control environment/etc. are evaluated.
An audit period is relevant in the world of compliance and auditing. Before a potential business partner or customer enters into contract agreements, paying money, and handing over important information, they want to be assured that the company they are working with is credible and that this credibility has been evaluated and vetted appropriately. Additionally, companies want to ensure that the security environment and processes are up to standard at the current point in time. If an organization were to begin working with a customer in 2022, and they were able to provide the customer with an audit report from 2015, this would be totally superfluous to their current control environment (potentially).
Therefore, an audit period gives assurance and confirmation of when the control environment was evaluated, and for what period of time the report should be considered. Compliance and control-environment security should be an ongoing process. A company that performed a SOC 2 audit for the audit period 1 January 2022 – 31 December 2022, would want their reporting period to be continuous i.e. their next audit would then begin on 1 January 2023. By following this approach, there is no gap in reporting, and there is consistent monitoring and evaluation of the control environment. When there are gaps in audit periods, there are additional considerations, and it is possible to obtain a bridge letter from the independent audit body (proving that the control environment was consistent during that time), but best practice is continuous audit period without gaps.
A break in an audit period may be relevant if a control environment were to undergo significant changes and in such instances this would be easier to justify (as the gap in time would typically be the time taken to develop and implement the ‘new’ system).
SOC 2 audits
It is important to understand that there are differences in terms of ‘audit periods’ in different audit frameworks. For example, SOC 1, SOC 2, and SOC 3 are all audit types that can either have point-in-time audit periods (Type I) or period-of-time audit periods (Type II). This means that if an audit period is defined as a 6-month period from 1 January 2022 – 31 July 2022, all audit evidence that is specific to this audit will be collected, sampled, and provided during this time. It is an important audit consideration and requirement that no evidence from outside of this period is used as evidence for the audit (as it pertains to an excluded period in time). For example, an organization would not be able to submit and include screenshots or listings that are extracted in September 2022 for an audit defined by the abovementioned audit period.
ISO 27001 audits
ISO 27001 audits differ from this by means of adopting an approach of ‘current stance and continual improvement’. What this means is that an ISO 27001 audit evaluates an organization in its current position. For example, if an ISO 27001 audit begins on 1 April 2022, the audit itself will review and evaluate the control environment, policies, and procedures that are enforced at this time. For any gaps and deficiencies, these are noted as areas where improvement and remediation are required and are then evaluated in the surveillance audit the following year. In this example, it is clear to see that the outcome of an ISO 27001 audit will not provide an evaluation over a specific period of time, but rather ‘as at’ that period of time.