IT Audit 102: A Brief History

Some of you may recall the Enron scandal of 2001.

Me, I was in elementary school and I just remember that a company that sounded like Chevron was all over the news.

Whether you do remember those headlines or not, the Enron debacle deeply affected the American psyche—this was a household name that crumbled amidst findings of false financial reporting that seemed to set off a tidal wave of industry collapse.

After all, in the ensuing year, several other companies disintegrated, billions of dollars were lost, and public trust of large companies was heavily damaged. It was like if, today, Google was caught misrepresenting their finances and then declared bankruptcy.

Imagine the chaos.

So yes, the Enron scandal caused enormous devastation, but in fact, out of its ashes emerged some of the most important advancements in information security, including the value of an audit. These changes were important across the entire business landscape, but especially so for Schellman since these ideas became and remain our primary service offerings.

But as I’ll note later, Schellman itself has evolved over the years, paralleling a similar journey of the information security audit itself, including the advent of different compliance standards, the updating of these regulations, and the idea of different audits to suit different data.

Security compliance is a diverse space these days, but how did we get here?

SOX as a First Step

This all began with Enron, so let’s start there.

Their deception gave us the Sarbanes Oxley Act (SOX), which was enacted by the United States government in 2002. Unsurprisingly, it placed strict requirements around financial reporting, disclosures, audit, and management responsibility. Given the scope of Enron’s damage, SOX was the first big prevention attempt of a round two.

And it did work—immediately after it was enacted, companies made great efforts to be compliant by revamping their handle on their company’s internal controls. That’s a bit of industry jargon, so to translate:

“Internal controls” are the mechanisms, roles, and procedures implemented to ensure integrity of financial and accounting information.

These things are so important, it’s no wonder they got their own term.

SAS 70

But like I said, now that the door was open to compliance standards, things evolved—things like SAS 70, which developed into what once was the most prominent auditing standard that allowed a service organization to disclose the effectiveness of their controls to its customers.

SAS 70 had actually been around since 1992, but its rise as a standard can be attributed to the fact that it satisfied section 404 within the newly established SOX, an important section on proper financial controls. SAS 70 became so prominent that it even became the namesake of one firm you may recognize—

In 2002, SAS 70 Solutions was born, eventually to become what is now Schellman & Company. So while SAS 70 was important in the world of security compliance, it represents our literal roots at Schellman as the auditing service we first provided.

The Lasting Power of SOC

Despite that, if you go on our website today, you’ll notice under our offerings that SAS 70 is not listed.

It’s not that we’ve moved away from our humble beginnings—the industry did and we dutifully followed. Because as SAS 70 grew in popularity, some distinct shortages were highlighted in using this type of audit—especially for technology companies.

Tech has been advancing at a supersonic rate for a while now, and around ten years ago, more and more organizations were beginning to pivot towards cloud computing, servers, or colocation. But these things could not be properly assessed or reported on in a SAS 70 audit, and so a new standard, the SSAE 16, was introduced in 2010.

You probably know it, because completed successfully, it results in a SOC 1 report. And from there, SOC grew even more—three different reports (SOC 1, SOC 2, and SOC 3) were released between 2010 and 2011, and more recently, SOC for Cybersecurity and SOC for Supply Chain have been created as well to suit different organizational needs.

(I don’t have the space to cover all of these in the depth they deserve within the scope of this blog, but they all have their own strengths and emphases. If you want some more information on some of the differences, check out a more detailed post here.)

Well Then, What Is ISO 27001?

As such a popular standard even today, SOC remains our bread and butter here at Schellman, but it’s not the only compliance standard out there either—that we offer or otherwise. ISO 27001 has also risen to prominence, thanks to its more holistic approach to information security, and probably also because it maps quite nicely to SOC 2.

We’ve written about that before too, but at a high level, you should know SOC and ISO have similarities as far as the security controls they test—they’re just managed by different organizations, and like I said before, ISO takes a different sort of approach.

In general, we might say that SOC and ISO 27001 are cousins that can mutually benefit one another, and the importance of both can be traced back to Enron and SOX in 2001 and 2002.

What’s Next?

Given the information security developments made in their wake, the Enron debacle and the subsequent SOX Act do represent significant events in recent history, but the industry has proven that it doesn’t need similar devastation to continue progressing. We have already come quite a ways even from SAS 70, and the space continues to grow.

As organizations evolve and technology improves, we expect the need for compliance space to follow suit. The latest iterations like SOC for Cybersecurity, ISO 27018, and ISO 27701 are examples of this, and there is more to be said about them, as well as the many other standards and regulations that continue to govern how well we all protect our data.

It’s always good to look back at where we came from, but history is still history—having been at the forefront of all these developments so far, we at Schellman are looking forward to the future and our continued leadership in this space, one audit at a time.

About the Author

Ben Kwan

Ben Kwan is a Senior Associate with Schellman & Company based in Los Angeles, CA. As a Senior Associate with Schellman, Ben is focused primarily on ISO audits across various industries.

More Content by Ben Kwan
Previous Article
What are the SOC 2 Trust Services Categories?
What are the SOC 2 Trust Services Categories?

If you’re someone who is considering a SOC 2 audit, learn about the Trust Services Categories and how to ch...

Next Article
Using Mind Maps in Application Security Testing
Using Mind Maps in Application Security Testing

Making AppSec penetration testing assessments more streamlined through application mapping


First Name
Error - something went wrong!