The AICPA Service Organization Control (SOC) reporting framework, which consists of SOC 1, SOC 2 and SOC 3 reports, represents a significant milestone in reporting on controls at service organizations, and one that many felt was long overdue. SAS 70, a well-known and globally recognized auditing standard that was put forth in 1992, became the only real essential mechanism used for third-party reporting on service organizations for many years. Sure, there were other country and region specific standards, but none of them equaled the status and notoriety of SAS 70. As such, the standard became widely used, but it also strayed heavily from its original intent as that of reporting on controls related to internal control over financial reporting.
Add to the fact that the dynamics of service organizations had drastically changed and a new international standard for reporting on controls was born, known as ISAE 3402, it became quite apparent that the AICPA had to make comprehensive changes to SAS 70. In short, enter the SOC reporting framework, along with SSAE 16 (and now SSAE 18) and AT Section 101, and exit the long-standing SAS 70 standard.
Goodybe SAS 70 and SSAE 16; Hello SSAE 18
To be fair, the AICPA was well-aware of the changing landscape of service organizations, such as the rise of cloud-based computing, the migration towards international accounting standards (such as ISAE 3402) and the overall need to revamp an antiquated and misused auditing standard (SAS 70). In fact, the AICPA and the International Federation of Accountants (IFAC) worked together in a collaborative fashion, as witnessed by the striking similarities these two new standards (SSAE 16, and now SSAE 18, and ISAE 3402) represent for reporting on controls at service organizations.
With that said, it's important to gain a comprehensive understanding of the AICPA Service Organization Control (SOC) reporting framework, what it is and what it means to you as a service organization. As stated earlier, there are three (3) reporting options under the new SOC framework; SOC 1, SOC 2 and SOC 3. Probably the single-most important aspect to understand is that the SOC framework represents the AICPA's keen understanding of the complexities that have evolved over the last two decades for service organizations and the need to provide auditors with tools to meet the growing compliance demands of these organizations. As such, the AICPA’s revamping of reporting on controls for service organizations from that of a single, antiquated standard (SAS 70) to a new comprehensive framework (SOC) will forever change the reporting requirements for service organizations.
SOC 1 SSAE 18 and SOC 2 Audits are Growing in Acceptance Worldwide