When deciding what kind of SOC report your service organization needs or what kind of report to request from your service organization, the options can be a little confusing. Especially when considering whether you need a SOC 2 vs a SOC 3 report.
Many of our clients ask us what a SOC 3 report is, what the difference is between a SOC 2 and SOC 3 report, and what the value is in obtaining a SOC 3 report. There is no short answer, but the key difference is that a SOC 2 report is a restricted use report while a SOC 3 report is a general use report. But SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA.
In the following post, we’ll be diving deeper into the differences between SOC 2 and SOC 3 reports and providing further insight into how to decide which SOC report would be most appropriate for your service organization.
What are SOC Reports?
First, let’s cover some basics. System and Organization Controls (SOC) Reports are reports governed by standards issued by the AICPA and are relevant to service organizations that offer services such as software as a service, cloud computing, data hosting, etc.
SOC reports provide users of the service organization with information on the system-level and entity-level controls in place at a service organization and the operating effectiveness of those controls. A service organization typically provides services and/or a system(s) to user entities and in doing so, could impact their user entities’ internal control environment and/or their services and system requirements. As such, many user entities and their service auditors request information on the controls in place at the service organization, which can be provided in the form of a SOC report.
There are several SOC report options to choose from, including the most common types: SOC 1, SOC 2, and SOC 3. We are going to dive further into the SOC 2 and SOC 3 reports, their similarities, and their differences below. Check out our related article to learn more about the differences between SOC 1 and SOC 2 reports.
What is a SOC 2 Report?
SOC 2 reports are typically used to meet the needs of a broad range of users, including the service organization’s management, user entities, and user entities’ auditors, that are concerned with a service organization’s controls relevant to the Trust Services Criteria (TSCs) outlined by the AICPA. SOC 2 reports are outlined in the Statement on Standards for Attestation Agreements (SSAE) 18, specifically sections AT-C 105 and 205.
There are five TSCs that can be included in a SOC 2 report and the only TSC that is required in a SOC 2 report is the Security TSC. Service organizations can decide if it is relevant for them to include the other four TSCs in the scope of the SOC 2 report based on the risks present with the services they provide: Availability, Processing Integrity, Confidentiality, and Privacy.
What is a SOC 3 Report?
A SOC 3 report, similar to a SOC 2 report, is also outlined in the SSAE 18 standard, specifically sections AT-C 105 and 205.
According to the AICPA, a SOC 3 report is, “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.”
Basically, this is stating that a SOC 3 does not contain as much detail on the system/services, the controls tested by the service auditor, and the detailed results of those tests because the users of the report don’t have a need for that level of information. Whereas a SOC 2 report contains this detailed information. Because of this, SOC 3 reports are considered general-use reports and are typically used by the service organization as a marketing tool and provided to prospective customers who do not need to know the level of information provided in the SOC 2 report.
What is the Difference Between a SOC 2 Report & a SOC 3 Report?
Since SOC 2 and SOC 3 reports are governed by the same AICPA standards, the work performed by the service auditor for these two reports is very similar. Both reports are designed to address the AICPA TSCs so the controls identified and tested by the service auditor are typically the same for both reports. The key difference in these reports is obvious in the presentation of the final report.
SOC 2 Reports
SOC 2 reports can be either a Type I or a Type II report, while a SOC 3 report is always a Type II and does not have the option for a Type I. Additionally, when looking at a SOC 2 report and SOC 3 report side by side, the SOC 3 report is significantly shorter than the SOC 2. This is because a SOC 2 contains detailed information on the following:
- The service organization’s system/services.
- Their control environment.
- The controls tested by the service auditor.
- The detailed results of those tests.
Because of this, SOC 2 reports are restricted-use reports, intended for the use of the service organization’s management, customers, and their customers’ auditors.
SOC 3 Reports
SOC 3 reports, on the other hand, include management’s assertion, the service auditor’s opinion (which is also included in a SOC 2), and typically a shorter version of the overview of the organization and system description than what is presented in a SOC 2. It does not contain the controls tested by the service auditor and the detailed results of those tests. This is because SOC 3 reports are general-use reports that can be distributed freely by the service organization.
Oftentimes, service organizations will make their SOC 3 available on their website whereas customers must request a copy of the SOC 2 from the service organization.
When Would a SOC 3 Report Be Most Appropriate?
Users of a SOC 3 will obtain some level of assurance regarding the service organization’s controls related to the applicable TSCs covered in the report, which makes a SOC 3 a great option for prospective customers.
A SOC 3 alone would typically not satisfy the needs of current customers and their auditors as it does not provide the controls tested and the results. Oftentimes, customers and their auditors want/need to evaluate how their own internal control environment, system requirements, and service commitments are impacted by their service organization. This is why a SOC 2 would be needed rather than a SOC 3. On the flip side, if a prospective customer is trying to decide whether to engage in the services/systems provided by the service organization, reviewing a SOC 3 would be a great idea, if available. A SOC 3 would provide the auditor’s opinion which is a great indicator of the state of the service organization’s control environment in relation to the TSCs.
In many situations, we see clients obtaining either a SOC 2 report alone or both a SOC 2 and SOC 3 report with the same scope and reporting period. The cost for performing these SOC reports is similar because the same amount of testing is required to determine whether the applicable criteria are being met, so you rarely see a service organization with only a SOC 3 report and not a SOC 2 report. It often makes more sense, if a service organization would like a SOC 3 report, to obtain a SOC 2 and SOC 3 report together and leverage the same testing for both.
In summary, it can be difficult for a service organization to determine which of the most commonly used SOC reports (SOC 1, SOC 2, and SOC 3) is the right report for them. They all serve different purposes.
When deciding between a SOC 2 vs SOC 3 report, the key things to remember are that SOC 2 reports are restricted-use reports that contain detailed information on the system, control environment, the controls tested by the service auditor, and the results of those tests. Whereas, a SOC 3 report is a general use report that does not include the controls tested and the results of those tests but does include the overall audit opinion.
SOC 3 reports are great marketing tools for prospective customers but don’t provide the level of detail required by customers. Customers and their auditors typically require a SOC 1 or SOC 2 report from their service organizations in order to review the detailed testing results.
This article was originally published on 6/26/2019 and was updated on 11/30/2022.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.