One of the most common questions we hear field is, what is a SOC 3 report and do we need one?
What is a SOC 3 report?
SOC for Service Organizations: Trust Services Criteria for General Use Report – Trust Services Report for Service Organizations (SOC 3) are general use reports that can be posted on a company’s website, they provide assurance to user entities about controls relevant to security, availability, processing integrity, confidentiality, or privacy and are intended for users that don’t have the need for information included in a SOC 2 report.
What is not included in a SOC 3 Report?
SOC 3 reports do not include management’s descriptions of the system or descriptions of the service auditor’s tests of controls and test results.
When are SOC 3 reports appropriate?
SOC 3 reports are appropriate when you determine prospective customers don’t require a SOC2 Type 2 report in order to make an informed decision about using your services. However, since SOC3 reports omit key information, your prospective customers will eventually want the assurance of a SOC2 Type 2 report. Therefore, always engage your auditor to perform a SOC2 Type 2 first, prior to determining if a SOC3 is appropriate.
How are SOC 3 reports performed?
SOC 3 reports include management’s assertion stating controls were effective over a period of time, the system boundaries, and the service commitments and system requirements, and auditor’s opinion about whether the assertion is fairly stated. SOC 3 reports are performed with the same procedures as a SOC 2 Type 2 audit.
SOC Resources
About SOC 3 Examinations
SOC 3 examinations are designed to meet the needs of users that desire assurance about the controls at a service organization that cover the same five categories as the SOC 2, but do not have the need for or the knowledge necessary to make effective use of the details contained in a SOC 2 report. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website.
How Can Schneider Downs Help?
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.
