SOC 1 (formerly SSAE 16) vs. SOC 2 vs. SOC 3…it can all be rather confusing. Some of our clients occasionally ask us when it is a good idea to get a SOC 3 report. The answer for most companies is that a SOC 3 is not necessary. Out of the three SOC reports, a very small percentage are SOC 3s. So when does it makes sense to get a SOC 3?
The AICPA website says, “SOC 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report. These reports are prepared using the AICPA/CPA Canada (formerly Canadian Institute of Chartered Accountants) Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because SOC 3 reports are general use reports, they can be freely distributed.”
A SOC 3 report is similar to a SOC 2 report and can cover any of the Trust Services Principles. The difference between a SOC 3 and a SOC 2 is that the SOC 3 report can be freely distributed. Many times it is posted on a company’s website. A SOC 3 report also differs from a SOC 2 in that it does not contain a detailed description of the service auditor’s tests of controls, results of testing, or the auditor’s opinion on the description of the service organization’s system. The lack of a detailed report requires that a SOC 3 be performed as a Type II, unlike SOC 1 and SOC 2 where there is a Type I option.
SysTrust and SOC 3 SysTrust for Service Organization Seals
In the past, service organizations receiving a SOC 3 were required to pay for a SOC 3 SysTrust service organization seal. On October 2, 2014, the AICPA and CPA Canada discontinued the seal program. The cessation of the seal program had no impact on the performance of Trust Services/SOC 3 engagements or the issuance of Trust Services/SOC 3 reports by practitioners. Practitioners and service organizations looking to market their SOC 3 engagements should use the AICPA SOC logo.
Marketing with a SOC 3 Report
SOC 3 reports are intended for general use and can be freely distributed on a service organization’s website. This makes SOC 3 reports a great marketing tool to demonstrate to current and prospective customers that a service organization has the appropriate controls to mitigate risks related to the security, availability, privacy, and confidentiality of customer information being processed. For example, a publicly available SOC 3 report for a data center hosting provider could be used by affiliates or re-sellers of the data center services to address the concerns of prospective customers regarding the security and privacy of their information.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.