Who should consider a SOC 3 Report?

Certified public accountants perform SOC (System and Organization Controls) examinations in order to analyze the strength and functionality of  your company’s systems. SOC3 reports are freely distributed to the public to provide assurance in your company’s information security and management. Learn about the scale and scope of SOC3 reports and why they are so valuable for today’s businesses.

What is a SOC 3 Report?

A SOC 3 report is a concise, user-friendly version of the SOC 2 Type 2 report that can be freely distributed to the public. Similar to the SOC 2 report, SOC 3 reports focus on the technical details of your product and on the information technology controls in place to support the security of your product, its underlying infrastructure and supporting systems, and of customer data. Adding a SOC 3 report is an easy and cost-effective way to communicate your focus on security and compliance to a broader audience.

SOC 2 reports are restricted-use, meaning they can only be distributed to select groups, such as existing customers, business partners, prospective customers, and Company Management. There is a significant amount of overlap in the SOC 2 and SOC 3 reports, but a SOC 3 report does not require the same level of detail as a SOC 2 report. SOC 3 reports exclude details that aren’t intended for public use. SOC 3 reports can only be issued to Companies that successfully complete a SOC 2 Type 2 examination.

Who Benefits from a SOC 3 Report?

Companies that benefit from receiving a SOC 2 often benefit from a SOC 3, including companies that provide software or services to enterprise customers, collect sensitive customer information, or who are in highly regulated industries.

Companies that rely on their website and digital marketing strategies for customer acquisition benefit greatly from a SOC 3, as prospective customers can quickly evaluate a company’s focus on security and compliance directly through the website. This makes SOC 3 reports highly scalable ways to communicate your security posture and compliance with customer commitments.

What Does a SOC 3 Report Cover?

Similar to a SOC 2 report, SOC 3 reports cover one or more Trust Services Categories defined by the American Institute of Public Accountants (AICPA) – security, availability, processing integrity, confidentiality, and privacy. SOC 2 and 3 examinations always include security, while availability, processing integrity, confidentiality, and privacy can be added separately based on the specific software or services provided and the expectations of your customers. Our Risk Assurance & Advisory Team can also help you identify the categories that make the most sense for your organization.

Trust Services Categories Include

Security

Protection of information and systems against unauthorized access; disclosure of information; compromise of availability, integrity, confidentiality, or privacy; or other risks impacting the ability to support customer and meet company objectives

Availability

Accessibility of information and systems in accordance with customer contracts and service level agreements

Processing Integrity

Complete, accurate, timely, and authorized system processing

Confidentiality

Protection of confidential information in accordance with laws and customer requirements

Privacy

Collection, use, retention, disclosure, and disposal of personal information in accordance with privacy policies, laws, and customer requirements