SOC 3 Reports
A SOC 3 report is considered a "General Use" report. Similar to a SOC 2 report, a SOC 3 report provides report users assurance regarding the design and operating effectiveness of controls over the service organizations system using the trust service criteria. The auditor's procedures for conducting a SOC 3 assessment are the same as that of a SOC 2. Therefore, in some cases, service organizations may request a SOC 3 report in conjunction with a SOC 2.
​
The primary differences between SOC 2 and SOC 3 is within the details presented in the report. Here's some of the key differences of a SOC 3 report:
​
-
Management of the service organization does not provide a "detailed" description of the system.
-
The service auditor does not render an opinion on the fairness of the presentation of the description.
-
The service auditor does not provide a detail description of the auditors tests of the operating effectiveness of controls and the results of those tests.
​
By removing the above details, the report can be distributed to any interested party, regardless of the level of knowledge the party has on the service organizations system. However, the SOC 3 report may not provide the necessary information and assurance to customers, business partners, and other key stakeholders that have the knowledge of the system evaluated.
The AICPA broadened the use and purpose of SOC to go beyond Service Organizations and be applicable to all organizations that have some risk to cyber threats. SOC stands for “Systems and Organization Controls” and here are some of the more common SOC reports:
​
-
SOC 1 – SOC for Service Organizations: Internal Controls over Financial Reporting (ICFR)
-
SOC 2 – SOC for Service Organizations: Trust Services Criteria (TSC)
-
SOC 3 – SOC for Service Organizations: TSC – General Purpose Report.
-
SOC for Cybersecurity
​
1st Secure Compliance, LLC CPA practice is focused on providing high quality services for SOC assessments.