← Glossary·Audit

Audit Period (Observation Window)

SOC 2ISO 27001

The continuous date range during which a SOC 2 Type II or ISO 27001 surveillance audit tests operating effectiveness.

The audit period (or observation window) is the continuous date range covered by an attestation or certification. SOC 2 Type II observation windows are typically 3, 6, or 12 months; ISO 27001 certification cycles are 3 years with annual surveillance audits.

Why it matters
Controls must be operating throughout the entire window. A single missed access review or unlogged change during the period becomes an exception in the report.

Related terms

SOC 2 Type I vs Type II
Type I = design of controls at a point in time. Type II = design + operating effectiveness over a period (typically 3–12 months).
SOC 2
AICPA attestation report on a service organisation's controls across five Trust Services Criteria.

Does your program actually cover Audit Period (Observation Window)?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary