[1] The "service auditor’s examination" of SAS 70 is replaced by a System and Organization Controls (SOC) report.
The SSAE 16 standard requires a minimum of six months of operation of the controls for a SOC 1 Type 2 report.
However, there are also a number of provisions of the Act (e.g. the willful destruction of evidence to impede a federal investigation) that apply to privately held companies.
These reports will now be considered SOC 2 audits and focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
In technology SaaS companies, the SOC 2 audit is purchased to provide an assurance on various aspects of the software including security, availability, and processing integrity.