Contact a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
View All Industry Solutions
Learning Center
Articles
Whitepapers
Video
Case Studies
Events & Live Webinars
On-Demand Webinars
Schellman Training
Visit the Learning Center
Our Process
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Visit the Learning Center
Articles
Articles
Whitepapers
Whitepapers
Video
Video
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Schellman Training
Schellman Training
Our Process
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Contact a Specialist

«  View All Posts

IT Audit 102: A Brief History Blog Feature
Ben Kwan

By: Ben Kwan

Print/Save as PDF

IT Audit 102: A Brief History

SAS 70 | ISO 27001 | SOX | ISO Certifications

Some of you may recall the Enron scandal of 2001.

Me, I was in elementary school and I just remember that a company that sounded like Chevron was all over the news.

Whether you do remember those headlines or not, the Enron debacle deeply affected the American psyche—this was a household name that crumbled amidst findings of false financial reporting that seemed to set off a tidal wave of industry collapse.

After all, in the ensuing year, several other companies disintegrated, billions of dollars were lost, and public trust of large companies was heavily damaged. It was like if, today, Google was caught misrepresenting their finances and then declared bankruptcy.

Imagine the chaos.

So yes, the Enron scandal caused enormous devastation, but in fact, out of its ashes emerged some of the most important advancements in information security, including the value of an audit. These changes were important across the entire business landscape, but especially so for Schellman since these ideas became and remain our primary service offerings.

But as I’ll note later, Schellman itself has evolved over the years, paralleling a similar journey of the information security audit itself, including the advent of different compliance standards, the updating of these regulations, and the idea of different audits to suit different data.

Security compliance is a diverse space these days, but how did we get here?

SOX as a First Step

This all began with Enron, so let’s start there.

Their deception gave us the Sarbanes Oxley Act (SOX), which was enacted by the United States government in 2002. Unsurprisingly, it placed strict requirements around financial reporting, disclosures, audit, and management responsibility. Given the scope of Enron’s damage, SOX was the first big prevention attempt of a round two.

And it did work—immediately after it was enacted, companies made great efforts to be compliant by revamping their handle on their company’s internal controls. That’s a bit of industry jargon, so to translate:

“Internal controls” are the mechanisms, roles, and procedures implemented to ensure integrity of financial and accounting information.

These things are so important, it’s no wonder they got their own term.

SAS 70

But like I said, now that the door was open to compliance standards, things evolved—things like SAS 70, which developed into what once was the most prominent auditing standard that allowed a service organization to disclose the effectiveness of their controls to its customers.

SAS 70 had actually been around since 1992, but its rise as a standard can be attributed to the fact that it satisfied section 404 within the newly established SOX, an important section on proper financial controls. SAS 70 became so prominent that it even became the namesake of one firm you may recognize—

In 2002, SAS 70 Solutions was born, eventually to become what is now Schellman & Company. So while SAS 70 was important in the world of security compliance, it represents our literal roots at Schellman as the auditing service we first provided.

The Lasting Power of SOC

Despite that, if you go on our website today, you’ll notice under our offerings that SAS 70 is not listed.

It’s not that we’ve moved away from our humble beginnings—the industry did and we dutifully followed. Because as SAS 70 grew in popularity, some distinct shortages were highlighted in using this type of audit—especially for technology companies.

Tech has been advancing at a supersonic rate for a while now, and around ten years ago, more and more organizations were beginning to pivot towards cloud computing, servers, or colocation. But these things could not be properly assessed or reported on in a SAS 70 audit, and so a new standard, the SSAE 16, was introduced in 2010.

You probably know it, because completed successfully, it results in a SOC 1 report. And from there, SOC grew even more—three different reports (SOC 1, SOC 2, and SOC 3) were released between 2010 and 2011, and more recently, SOC for Cybersecurity and SOC for Supply Chain have been created as well to suit different organizational needs.

(I don’t have the space to cover all of these in the depth they deserve within the scope of this blog, but they all have their own strengths and emphases. If you want some more information on some of the differences, check out a more detailed post here.)

Well Then, What Is ISO 27001?

As such a popular standard even today, SOC remains our bread and butter here at Schellman, but it’s not the only compliance standard out there either—that we offer or otherwise. ISO 27001 has also risen to prominence, thanks to its more holistic approach to information security, and probably also because it maps quite nicely to SOC 2.

We’ve written about that before too, but at a high level, you should know SOC and ISO have similarities as far as the security controls they test—they’re just managed by different organizations, and like I said before, ISO takes a different sort of approach.

In general, we might say that SOC and ISO 27001 are cousins that can mutually benefit one another, and the importance of both can be traced back to Enron and SOX in 2001 and 2002.

What’s Next?

Given the information security developments made in their wake, the Enron debacle and the subsequent SOX Act do represent significant events in recent history, but the industry has proven that it doesn’t need similar devastation to continue progressing. We have already come quite a ways even from SAS 70, and the space continues to grow.

As organizations evolve and technology improves, we expect the need for compliance space to follow suit. The latest iterations like SOC for Cybersecurity, ISO 27018, and ISO 27701 are examples of this, and there is more to be said about them, as well as the many other standards and regulations that continue to govern how well we all protect our data.

It’s always good to look back at where we came from, but history is still history—having been at the forefront of all these developments so far, we at Schellman are looking forward to the future and our continued leadership in this space, one audit at a time.

About Ben Kwan

Ben Kwan is a Senior Associate with Schellman based in Los Angeles, CA. As a Senior Associate with Schellman, Ben is focused primarily on ISO audits across various industries.

Schellman

4010 W Boy Scout Boulevard, Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S. 1.813.288.8833

Services
Industries
Resources
Company

© SchellmanPrivacy PolicyTerms

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.