soc 2 vs sas 70

From SAS 70 to SOC 2: Understanding the Timeline

Kyle Morris

Senior Compliance Success Manager

Linkedin

Accurately differentiating between different auditing standards, frameworks and naming conventions can easily feel like trying to navigate a foreign language. However, it doesn’t have to be so complicated! Allow us to translate. 

SOC 2 vs SAS 70 in a Nutshell

Simply put, SSAE 18 governs SOC reports – it outlines the criteria and requirements for conducting SOC 2 audits to ensure consistency when evaluating controls across different organizations.

Understanding SOC 2

Let’s be honest; we all have a teacher’s pet – and at Scytale, SOC 2 is a strong contender. SOC 2 (Service Organization Controls 2) is one of the more well-known security frameworks. It’s primarily geared toward technology-based companies that use cloud-based storage of customer data, providing them with a set of compliance requirements to ensure they meet leading security standards. 

In a nutshell, SOC 2 focuses on five Trust Service Principles. These TSPs were developed by the AICPA (The American Institute of Certified Public Accountants) and are set criteria that standardize and structure how the design and effectiveness of a service organization’s security controls should be evaluated. These five principles include: 

  • Security
  • Availability​
  • Processing Integrity​
  • Confidentiality
  • Privacy

When pursuing SOC 2 compliance, each organization can determine which TSPs to include in the scope of their SOC 2 report. Security, however, is the one mandatory TSP and a non-negotiable for SOC 2 compliance. To become SOC 2 compliant, an external audit, which is an independent review of your organization’s security controls, will assess your security posture, test it against the specific requirements for each TSP, and determine whether or not you have effectively implemented the correct internal controls.

We break down the nitty-gritty of SOC 2 compliance further in our wide array of SOC 2 resources. But for a quick overview, watch our video on What is SOC 2 anyways!

Understanding SAS 70

And just when you think you have a fair understanding of the security landscape – you encounter something that predates SOC 2—SAS 70. Although it’s not new, it might be unfamiliar to some. Let’s take a look at SAS 70 (which has since evolved into SSAE 18).

We don’t want to bore you with the timeline. However, it’s important to note how SAS 70 falls into the evolution of the SOC landscape. 

Prior to 2011, all service organizations were to complete their reports under Statement on Auditing Standards (SAS) No. 70. However, SAS 70 was not without its limitations, which is bound to happen in a fast-evolving industry. Thus, AICPA then moved to Statement on Standards for Attestation Engagements (SSAE) No. 16 to account for limitations within SAS 70. Fast forward to April 2016, and we have SSAE No. 18, which updated critical reporting aspects such as:

  • Naming convention
  • Vendor management
  • Complementary sub-service organization controls
  • Service auditor risk assessment
  • Written assertion requirements

SAS 70, now SSAE 18, plays a significant role in the compliance landscape, particularly for third-party service organizations. Remember when we mentioned AICPA? SSAE 18 is a set of auditing standards developed by AICPA. Simply put, SAS 70 establishes the necessary requirements for service auditors when conducting an examination of a service organization’s controls. 

So, how do the two work together, and how do they differ in terms of security compliance? 

Key Differences Between SOC 2 vs SAS 70

Although dozens of granular aspects differentiate SOC 2 and SAS 70, it’s best to start from the top. In brief, some of the major differences include that SAS 70 focuses on

internal controls over financial reporting and the intricacies of how service organizations report on their controls, aligning with auditing standards and organizational controls. 

SOC 2, on the other hand, is aimed at a broader range of service providers with internal controls that can cover any combination of the five TSPs. When looking at SOC 1 (a.k.a SAS 70) it’s noteworthy that SOC 1 is generally considered an auditor-to-auditor report. 

The Purpose of SOC 2 vs SAS 70

SSAE 18 is generally recommended to organizations that offer services that could affect their clients’ financial reporting. These may include data centers, payroll processors, and loan servicing companies. This is because the SSAE 18 audit evaluates how service organizations report on their controls, aligning with auditing standards and organizational controls.

On the other hand, SOC 2 is aimed at organizations that store, process or transmit sensitive customer data. This can include cloud computing providers, data analytics firms, and Software as a Service (SaaS) companies. This ensures that they implement the correct security measures and controls as opposed to how they report on the controls’ effectiveness. 

It is possible for companies to require additional scrutiny beyond the SOC 2 report to ensure that the controls are not only effective but also accurately and fairly represented in the report. This is where auditors conducting SSAE 18 audits come in. They assess not only the controls themselves but also the company’s compliance with the reporting requirements outlined in the standard, such as the accuracy and completeness of the description of the system and the fairness of the presentation of the controls’ effectiveness.

Do You Need SOC 2 or SAS 70?

When it comes to choosing the right audit for your business, it might seem like there are multiple options, but here’s the thing—SAS 70 is no longer valid. It’s been retired, so there’s really only one choice when it comes to modern standards: SOC 2.

To figure out if SOC 2 is the right fit for your needs, start by identifying your data security objectives. Consider the type of client information you handle, any regulatory requirements that apply, and the specific demands of your industry. SOC 2 is designed to help you meet those data security goals with its focus on the trust service criteria.

Still feeling unsure? That’s exactly where we come in. We’re here to help you navigate your options and ensure your audit aligns perfectly with your business needs.

Set the Standard with Scytale 

Ultimately, knowing which standards apply to your organization and whether or not you need more than a SOC 2 report requires one thing: an expert opinion. 

Fortunately, you’re in the right place. 

At Scytale, we keep up with the changing compliance landscape, so you don’t have to. We also deep dive into your security posture and become an extension of your team to ensure that when it comes to reporting on your service organization controls – you’re following the best practices for your industry (without breaking a sweat). 

For more information on how to navigate SOC 2 and ensure it fits your business needs, reach out to our dedicated compliance experts. We manage the entire audit-readiness process for you, guiding you through each requirement step by step!

Meet your compliance experts today
Alternatively, if you’re ready to choose, we’ve got all our frameworks locked and loaded!

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs