Several of our clients, current as well as prospective have posed a question to us about the applicability of a SOC 3 report and its benefits. I thought some additional information drawing clarity to the question will be beneficial to others who read this Blog especially for those that have the same question.
So what is a SOC 3 report? A SOC 3 Report is a report on controls at a service organization addressing matters other than financial reporting. A SOC 3 report is prepared using the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
A SOC 3 report is meant to meet the needs of users who want assurance on controls at a service organization related to either security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a more detailed SOC 2 Report. Essentially a SOC 3 report is nothing but an abridged version of a SOC 2 report in that it does not provide the information on the details of the tests performed by the Service Auditor.
The Components of a SOC 3 Report are:
- The service auditor’s report on whether the entity maintained effective controls over its system as it relates to the principle being reported on i.e., security, availability, processing integrity, confidentiality, or privacy, based on the applicable trust services criteria.
- Management’s Assertion on the controls of the service organization’s based on the AICPA /CICA Trust Services principle being reported on.
- A brief description of the service organization’s system.
Because a SOC 3 is a general use reports, it can be freely distributed or posted on a website as a seal. For more information about the SysTrust for Service Organization seal program go to www.webtrust.org.