HISTORY OF SOC REPORTS
Setting a Precedent: 70 Years of SOC Reporting
The name “SOC Report,” which stands for System and Organization Controls Report, has been around for only about the last decade, but the history of this process goes back much further than that.
SOC reports must be prepared by CPAs, and these auditors are required to undergo a peer review process every three years to maintain their auditor status.
The premise behind these audits and assessments has been around for more than 70-plus years in one form or another, making it a time-tested framework for assessing a service organization’s operational practices and ability to stand by those practices.
These reports have gone through a number of name changes over the years as they increased in complexity and scope. They were initially referred to as Service Organization Control Reports when created in 2011 by the American Institute of Certified Public Accountants (AICPA).
What we now refer to as SOC 1 and SOC 2 Reports focus on dependable financial information and data security, respectively. These frameworks were preceded by the Statement of Standards (SAS) 70, created by AICPA. Later, the process was updated and referred to as the Statement of Standards on Audit Engagements (SSAE) 16.
The current SOC audit framework calls for these audits and reports to be conducted and issued by CPA firms. SOC reports must be prepared by CPAs, and these auditors are required to undergo a peer review process every three years to maintain their auditor status.