SOC 3 Report: What is it?

Trust Services Report for Service Organization: SOC 3 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations that also are used in SOC 2 engagements. The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor's tests of controls and results of those tests as well as the service auditor's opinion on the description of the service organization's system. A SOC 3 report is a general-use report that provides only the auditor's report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system. It also permits the service organization to use the SOC 3 seal on its website. SOC 3 reports can be issued on one or multiple Trust Services principles, which are security, availability, processing integrity, confidentiality and privacy.

Example: Putting a SOC 3 Report to Work

Companies that use a business partner to perform part of their operations for selling goods via the Internet often find that their customers are concerned with the privacy of the information they provide to the company and the business partner. Since many customers would like assurance about how the privacy of that information is being managed and processed, the business partner service organization can use a SOC 3 report to address such concerns. For example, a large online retailer may establish an affiliates program that permits small specialist retailers to use the transaction processing systems of the online retailer. Because of the concern that many customers of the specialist retailers may have regarding the online retailers collection and use of purchase information, the online retailer and the specialist retailers wish to assure customers that the online retailer maintains the privacy of customers' information. Management of the online retailer may request a SOC 3 engagement, performed by a CPA over the system or processing using the Trust Services Principles and Criteria, and may then distribute the SOC 3 report to customers via a link on its website and publicly display the SOC 3 Report: SysTrust for Service Organizations seal.