June 22, 2021

What is a SOC 3 Report?

Cybersecurity, IT Risk Advisory, SOC
by Schneider Downs Professional

One of the most common questions we hear field is, what is a SOC 3 report and do we need one?

What is a SOC 3 report?

SOC for Service Organizations: Trust Services Criteria for General Use Report - Trust Services Report for Service Organizations (SOC 3) are general use reports that can be posted on a company's website, they provide assurance to user entities about controls relevant to security, availability, processing integrity, confidentiality, or privacy and are intended for users that don't have the need for information included in a SOC 2 report.

What is not included in a SOC 3 Report?

SOC 3 reports do not include management's descriptions of the system or descriptions of the service auditor's tests of controls and test results.

When are SOC 3 reports appropriate?

SOC 3 reports are appropriate when you determine prospective customers don't require a SOC2 Type 2 report in order to make an informed decision about using your services. However, since SOC3 reports omit key information, your prospective customers will eventually want the assurance of a SOC2 Type 2 report. Therefore, always engage your auditor to perform a SOC2 Type 2 first, prior to determining if a SOC3 is appropriate.

How are SOC 3 reports performed?

SOC 3 reports include management's assertion stating controls were effective over a period of time, the system boundaries, and the service commitments and system requirements, and auditor's opinion about whether the assertion is fairly stated. SOC 3 reports are performed with the same procedures as a SOC 2 Type 2 audit.

SOC Resources

About SOC 3 Examinations

SOC 3 examinations are designed to meet the needs of users that desire assurance about the controls at a service organization that cover the same five categories as the SOC 2, but do not have the need for or the knowledge necessary to make effective use of the details contained in a SOC 2 report. Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website.

How Can Schneider Downs Help?

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

our thoughts on

Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit BY Nathan Shepler 4.19.2024

8 Key Considerations When Reviewing User Access

SOC 2 Terminology: Vendor vs Subservice Organization vs Subcontractor vs Third Party vs Nth Party

Did Poor Change Management Contribute to the AT&T Wireless and McDonald’s Outages?

Subservice Organizations: Their Role and Impact on Your SOC Report

Allegheny County Marriage License Data Leak May Affect Recent Newlyweds

IT Risk Advisory BY Sean Thomas 4.1.2024

PCI DSS v4.0 is Here…Are You Ready?