When and where did SOC 2 originate?

To understand the purpose of SOC 2, it’s important to know how the framework first came about. 

When Did SOC Audits Start?

The roots of SOC 2 stretch all the way back to the early 1970s. This is when the American Institute of Certified Public Accountants, which created SOC 2, released the Statement on Auditing Standards (SAS) 1.

The SAS 1 document officially outlined an independent auditor’s role and responsibilities.

Decades passed, and new SAS were created, all the way up to SAS 70 in 1992.

Throughout the early 1990s, CPAs used SAS 70 to determine how effective a company’s internal financial controls were. Over time, SAS 70 became a way to report on how companies treated information security in general.

Over the next 20 years, companies began to outsource services like payroll processing and cloud computing. And these services could affect financial reporting or data security.

As a result, the need arose for companies to validate their level of security, ideally through a trusted third party.

When Did SOC 2 Start?

In April 2010, the AICPA announced a new auditing standard: the Statement on Standards for Attestation Engagement (SSAE 16).

Under SSAE 16, the AICPA released three new reports. This resulted in the Service Organization Controls (SOC) and the ever-popular SOC 2:

  • SOC 1: Internal controls for financial statements and reporting
  • SOC 2: Internal controls for the five Trust Services Criteria. (These are Security, Confidentiality, Processing Integrity, Privacy, and Availability of customer data)
  • SOC 3: SOC 2 results, tailored for a public audience

In May 2017, the AICPA replaced SSAE 16 with SSAE 18 to update and simplify some confusing aspects of SSAE 16.

SSAE 18 is now used for all SOC 1, SOC 2, and SOC 3 reports.