When deciding what kind of SOC report your service organization needs or what kind of report to request from your service organization, the options can be a little confusing. Especially when considering whether you need a SOC 2 vs a SOC 3 report.
Many of our clients ask us what the difference is between a SOC 2 and SOC 3 report and what the value is in obtaining a SOC 3 report. The short answer is, SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA.
The main difference is a SOC 2 is a restricted use report and a SOC 3 is a general use report.
In the following post, we’ll be diving deeper into the differences between SOC 2 and SOC 3 reports and providing further insight into how to decide which SOC report is the right report for your service organization.
What are SOC Reports?
First, let’s cover some basics. System and Organization Controls (SOC) Reports are reports governed by standards issued by the AICPA and are relevant to service organizations who offer services such as software as a service, cloud computing, data hosting, etc.
System and Organization Controls (SOC) is a common phrase used by CPAs and service organizations to refer to system-level and entity-level controls at a service organization. A service organization provides services to other entities and they have system and organization controls in place which make up the organization’s internal control environment.
There are several SOC report options to choose from: SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity. We are going to dive further into the most commonly used SOC reports (SOC 1, SOC 2 & SOC 3) and their differences below.
What is a SOC 1 vs a SOC 2 Report?
SOC 1reports are outlined in the Statement on Standards for Attestation Agreements (SSAE) 18, specifically section AT-C 320. A SOC 1 report is typically the right choice when the service organization can impact its customers’ internal control over financial reporting (ICFR). In other words, internal controls at the service organization can impact its customers’ financial statements.
For example, a service organization could need a SOC 1 if they perform payroll processing, claims processing, credit card payment processing, are a data center, etc.
The key difference to note in a SOC 1 vs a SOC 2 is that a SOC 1 focuses on a service organization’s internal controls that can impact a customer’s financial statements while a SOC 2 focuses on controls relevant to compliance and operations, outlined by the AICPA’s Trust Services Criteria (TSCs).
What is a SOC 2 Report?
As mentioned above, SOC 2 reports are typically used to meet the needs of a broad range of users that are concerned with a service organization’s controls relevant to the TSCs outlined by the AICPA. Similar to a SOC 1, SOC 2 reports are outlined in the SSAE 18 standard but are addressed in sections AT-C 105 and 205.
There are five TSCs which can be included in a SOC 2 report and the only TSC that is required in a SOC 2 report is the Security TSC. Service organizations can decide if it is relevant for them to include the other four TSCs based on the risks present with the services they provide: Availability, Processing Integrity, Confidentiality, and Privacy.
What is a SOC 3 Report?
A SOC 3 report, similar to a SOC 2 report, is also outlined in the SSAE 18 standard, specifically sections AT-C 105 and 205.
According to the AICPA, a SOC 3 report is, “designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.”
Additionally, SOC 3 reports are general use reports so they can be used by the service organization as a marketing tool to provide to prospective customers.
What is a SOC 2 Report vs a SOC 3 Report?
Since SOC 2 and SOC 3 reports are governed by the same AICPA standards, the work performed by the service auditor for these two reports is very similar. Both reports are designed to address the AICPA TSCs so the controls identified and tested by the service auditor are typically the same for both reports. The key difference in these reports is in the reporting.
SOC 2 reports can be either a Type I or a Type II report, while a SOC 3 report is always a Type II and does not have the option for a Type I. Additionally, SOC 2 reports are restricted use reports, intended for the use of the service organization’s management, customers, and their customers’ auditors.
SOC 3 reports, on the other hand, are general use reports that can be distributed freely by the service organization. This is because SOC 3 reports contain significantly less detail in the report itself.
Often times, service organizations will make their SOC 3 available on their website whereas customers must request a copy of the SOC 2 from the service organization.
Unlike SOC 2 reports, SOC 3 reports do not have a detailed description of the controls tested by the service auditor, the test procedures and the results of the test procedures. A SOC 3 report typically contains a short auditor’s opinion, management assertion and system description.
As the report does not go into much detail on the system and how it operates, controls tested and the results of those tests, a SOC 3 is a great tool for marketing prospective customers but a SOC 3 alone would typically not satisfy the needs of current customers and their auditors.
In many situations, we see clients obtaining either a SOC 2 or both a SOC 2 and SOC 3. As the cost for performing these reports is similar due to the criteria that must be met, it often makes more sense for customers to obtain a SOC 2 and add on a SOC 3 for an incremental fee.
In summary, it can be difficult for a service organization to determine which of the most commonly used SOC reports (SOC 1, SOC 2 and SOC 3) is the right report for them. They all serve a different purpose.
It is typically easier for a service organization to determine if they need a SOC 1 or a SOC 2 because the key difference between them is whether the service organization’s controls impact a customer’s internal control over financial reporting or not.
The decision becomes a little more difficult when deciding between a SOC 2 vs SOC 3. The key things to remember are that a SOC 2 is a restricted use report that contains detailed information on the system, the controls in place, the service auditor’s test procedures and the results of their test procedures. A SOC 3 is a general use report that does not include much detail and is a great marketing tool.
If you have additional questions regarding the differences between these commonly used SOC reports, please contact us at Linford & Co, LLP.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.