SOC 3 Reports: When do they make sense?

SOC 1 (formerly SSAE 16) vs. SOC 2 vs. SOC 3…it can all be rather confusing. Some of our clients occasionally ask us when it is a good idea to get a SOC 3 report. The answer for most companies is that a SOC 3 is not necessary. Out of the three SOC reports, a very small percentage are SOC 3s. So when does it makes sense to get a SOC 3?

The AICPA website says, “SOC 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report. These reports are prepared using the AICPA/CPA Canada (formerly Canadian Institute of Chartered Accountants) Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because SOC 3 reports are general use reports, they can be freely distributed.”

A SOC 3 report is similar to a SOC 2 report and can cover any of the Trust Services Principles. The difference between a SOC 3 and a SOC 2 is that the SOC 3 report can be freely distributed. Many times it is posted on a company’s website. A SOC 3 report also differs from a SOC 2 in that it does not contain a detailed description of the service auditor’s tests of controls, results of testing, or the auditor’s opinion on the description of the service organization’s system. The lack of a detailed report requires that a SOC 3 be performed as a Type II, unlike SOC 1 and SOC 2 where there is a Type I option.

SysTrust and SOC 3 SysTrust for Service Organization Seals

In the past, service organizations receiving a SOC 3 were required to pay for a SOC 3 SysTrust service organization seal. On October 2, 2014, the AICPA and CPA Canada discontinued the seal program. The cessation of the seal program had no impact on the performance of Trust Services/SOC 3 engagements or the issuance of Trust Services/SOC 3 reports by practitioners. Practitioners and service organizations looking to market their SOC 3 engagements should use the AICPA SOC logo.

Marketing with a SOC 3 Report

SOC 3 reports are intended for general use and can be freely distributed on a service organization’s website. This makes SOC 3 reports a great marketing tool to demonstrate to current and prospective customers that a service organization has the appropriate controls to mitigate risks related to the security, availability, privacy, and confidentiality of customer information being processed. For example, a publicly available SOC 3 report for a data center hosting provider could be used by affiliates or re-sellers of the data center services to address the concerns of prospective customers regarding the security and privacy of their information.