History of SOC reporting

History of SOC reporting


This blog helps you understand the history and background of SOC reporting and a brief overview of how it came into
existence and evolved as a way of addressing risks associated with outsourcing services.
Brief History
The increased prominence on governance, risk management, and compliance has steered companies to focus on internal
controls over all aspects of their operations. Service organizations providing outsourced services (IT, business processes,
etc.) often engage a third party audit firm to certify the design and operating effectiveness of these controls. The auditor’s
inspection of an organization’s internal control and the impact that a service organization may have on the entity’s
control environment has long been an area of focus in designing an acceptable audit approach.
The original standard for attesting was known as SAS 70 and was an established way by which service organizations
could illustrate the effectiveness of their internal controls. The SAS 70 audit was performed by a CPA and the result was a
report on the effectiveness of internal control over financial reporting (ICFR). This report was often used by the
organizations to show that a vendor was secure and safe to work with. However, the report was principally was not meant
for that purpose.

Introduction of SSAE 16

The technology evolved and so did the AICPA’s attestation standards. SSAE No. 16 reporting standards was completed by
the AICPA in January 2010. SSAE 16 beneficially replaced SAS 70 as the reliable guidance for reporting on service
organizations. SSAE 16 was officially issued in April 2010 and became effective on 15th June 2011. SSAE 16 was drafted
with the objective and purpose of updating the US service organization reporting standard so that it reflects and adheres
to the new international service organization reporting standard – ISAE 3402.
SSAE 16 also established a new attestation standard called AT 801 which contained guidance for performing the service
auditor’s examination. Many service organizations that had previously performed a SAS 70 examination now switched to
the new standard in 2011 and now had an enhanced SSAE 16 report (also referred to as a Service Organization Controls
(SOC) 1 report).

The upgraded SSAE 18

The SSAE no. 18 (Statement on standards of attestation engagements) used for SOC reporting is the latest periodic
statement issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants
(AICPA) effective from 1st May 2017. Following were the key changes in transforming from SSAE16 to SSAE18:
 SOC as defined under the SSAE-16 Standard stood for ‘Service Organization Control’. Under the new
Standard, SOC now stands for ‘System and Organizational Controls’, and applies to other types of
organizations and both system and/or entity-level controls.
 In the SSAE-16 Standard, complementary user-entity controls (CUEC) were defined as those controls at userentity organizations that were both necessary and unnecessary to achieve control objectives stated in
management’s description. Under the SSAE 18 Standard, CUEC are now defined as those controls that are only
necessary to achieve control objectives stated in management’s description.
 The new SSAE-18 Standard adds requirements related to subservice organizations (SSO) and vendor
management processes. When subservice organization is carved out, the inclusion of SSO controls are now
provided in management’s description similarly to CUECs. Also, vendor management processes to monitor the
effectiveness of controls at SSO have been stressed upon.
 The new SSAE-18 Standard requires that the Management Assertion letter accepting responsibility for the
description be signed. Previously, a Management Assertion letter was required but it did not have to be signed.
 The new SSAE-18 Standard has also included revisions to the language used in the Management Assertion Letter
and Service Auditor’s report to accommodate general changes and those associated with complementary userentity and subservice organization controls.

The following table summarizes some of the Statements relative to internal control, the effect of information technology
on a financial statement audit, and service organizations, that have been made since SAS No.70 standards introduced in
Statement Name Date Issued Title of Statement
SAS No. 70 April 1992 Service Organizations
SAS No. 78 December 1995
Consideration of Internal Control in a
Financial Statement Audit: An
Amendment to Statement on
Auditing Standards No. 55
SAS No. 88 December 1999 Service Organizations and Reporting
on Consistency
SAS No. 94 May 2001
The Effect of Information Technology
on the Auditor’s Consideration of
Internal Control in a Financial
Statement Audit
PCAOB No. 2 March 2004
An Audit of Internal Control over
Financial Reporting in Conjunction
with an Audit of Financial
Statements. (Note: Appendix B refers
to Service Organizations)
PCAOB No. 5 May 2007
An Audit of Internal Control over
Financial Reporting that is Integrated
with an Audit of Financial
Statements. (Note: Appendix B17-B17
covers Service Organization

ISAE No. 3402 December 2009 Assurance Reports on Controls at a
Service Organization
SSAE No. 16 April 2010 Reporting on Controls at a Service
SSAE No. 18 May 2017
Concepts common to all Attestation
engagements (with more stress on
system details, CUEC
(complimentary user organization
controls) and SSO (sub-service
organization) controls.)

Hope this blog would have added to your understanding the knowledge related to SOC reporting standards.
Stay connected and feel free to reach out for knowing more about different types SOC reporting.

Leave a Reply

Your email address will not be published. Required fields are marked *