SOC logos are available for use by service organizations that have undergone a SOC 1 (formerly SSAE 16), SOC 2, or SOC 3 engagement within the prior 12 months. These logos are designed to make the public aware of these SOC services and do not offer or represent assurance that an organization obtained an unqualified opinion. A seal is available only for SOC 3 engagements. This seal requires the SOC 3 examination to cover one or more of the AICPA/CICA Trust Services Principles and Criteria, and the examination must be an unqualified opinion. A SOC 3 SysTrust for Service Organization Seal may be issued and displayed on a service organization’s website. Typically the seal is linked to a public report issued by the practitioner.
The reason SOC 1 and SOC 2 reports cannot display a compliance seal is because the intended use of these types of reports is not as a marketing or sales tool. A SOC 1 is intended to provide useful information to make a decision about the user organization’s own internal controls over financial reporting. Use of a SOC 1 is restricted to management of the service organization, user entities that are customers of the service organization, and user auditors. A SOC 2 report covering controls over security/systems and privacy, rather than financial reporting, is also generally limited to specified parties, such as customers, regulators, business partners, and suppliers. Organizations, however, may benefit by obtaining SOC 1 and SOC 2 reports from a marketing and sales perspective by fulfilling prospective client requirements. It also demonstrates that the organization takes process and controls seriously.