The History Of SOC 2


Vector Representation of SOC 2's entire timeline of existence
The History of SOC 2

To understand the objective of a SOC 2 report, it's important to first know the background and history of how SOC 2 came into existence. It is imperative for organizations to comprehend how SOC 2 reports help service organizations to manage the risks associated with outsourcing services.

Before SOC 2, SAS 70 (Statement of Auditing Standards No. 70) was the original standard for auditing service organizations. SAS 70 audits were introduced in the 1990s, and the audits were performed by Certified Public Accountants (CPAs).

Over the next 20 years, organizations began outsourcing services for various departments, such as

  • IT application development

  • Manufacturing Process

  • Project development

  • Payroll processing

  • Cloud computing

Post outsourcing, organizations realized that exposing financial and sensitive data to third parties could affect the reputation of the company. As a result, SOC audits were introduced. These audits validated the level of security of third-party companies, acting as evidence for customers to trust their services.

When did SOC 2 audits start?


In April 2010, the AICPA announced a new auditing standard called SSAE 16 (Statement on Standards for Attestation Engagement). Under SSAE 16, AICPA introduced three new reports to address the growing need of companies to validate and communicate their state of security. These three standards were; SOC 1, SOC 2, and SOC 3.

SOC 1 audit is specific to evaluating controls that impact clients in a certain way. It focuses on how organizations' services impact the customers' financial reporting.


SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the security of a system at a service organization. It is based on 5 TSCs (Trust Service Criteria) - Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 3 report contains the same information as SOC 2, but it's presented for a general audience rather than an informed one. It is also more publicly accessible than the previous two reports.

In May 2017, the AICPA replaced SSAE 16 with SSAE 18 to update and simplify some confusing aspects of SSAE 16.


The updated version of SSAE 18 is now applicable in all three standards - SOC 1, SOC 2, and SOC 3.


Read more about SOC 2 and how it benefits organizations here.


Get SOC 2 Compliant Fast with Scrut

Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.


8 views

Recent Posts

See All