Hunter McKinlay, CPA, is an Audit Senior at Larson & Company. He specializes in audits and advisory services for a wide range of companies.

 

What is a SOC 3 Report?

You can think of a SOC 3 report as the whitepaper version of a SOC 2 report. According to the AICPA, the authoritative body on SOC testing and reporting, “[SOC 3] reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report.” (https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement)

The formatting starts in a similar manner (Cover page, Independent Service Auditor’s/Accountant’s Report) except that in lieu of the System Description and Results of Testing etc., the SOC 3 report will present the Boundaries of the System Description and Principal Service Commitments and System Requirements, respectively. Since the detailed system description and matrix of controls / results of testing of the controls is removed, the report may be shared with any interested users.

Benefits of SOC 3 Reporting

  • Marketing:
    • General use reports can be posted to a company’s website for potential customers to see during their initial research of a service organization
    • Reports can help to differentiate a service organization from competition that is not SOC compliant
  • Economical:
    • Generally, only an incremental fee if coupled with a SOC 2 engagement
    • Reports are easier to share than SOC 2 reports and require less employee time
  • Other:
    • Reporting is simpler to understand and may require less technical background
    • Summary level information is less tedious to report users

A Word of Caution

Owing to the pervasive availability of the SOC 3 report, it is important to remove any potentially comprising information about your company’s network infrastructure or preferred applications from the report so as not create opportunities to exploit any vulnerabilities in your network.

 

For more information about this topic, please contact Larson & Company today.