SOC 3 vs. SOC 2: What’s the difference, and how do you get a SOC 3 report?
Here at Wipfli, we are often asked by our clients and prospects, “When does it make sense to prepare a SOC 3 report, and what additional value would it provide our organization?”
To help answer this question, let’s examine the American Institute of Certified Public Accountants’ (AICPA) description of a SOC 3 report:
“These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® Reports can be freely distributed.”
The AICPA’s description makes it clear that a SOC 3 report follows in the SOC 2 report’s footsteps and presents information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy.
SOC 3 vs SOC 2: Why you need SOC 2 first
This is where a caveat comes into play: In order for an organization to obtain a SOC 3 report, it must first undergo a SOC 2 examination to validate 1) whether the description of the organization’s system was presented in accordance with the description criteria, and 2) whether the controls stated in the description were suitably designed and operating effectively to provide reasonable assurance that the organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.
Once an organization completes its SOC 2 examination, it can begin distributing a SOC 2 report deliverable to its user entities (aka clients) and business partners that interact with the system. At that point, an organization can also look even further and have its service auditors prepare a SOC 3 report. This SOC 3 report can be passed along to a general audience such as future prospects or clients that are currently using other offerings but maybe be interested in using the system once they learn more about its design, as well as the controls and practices in place to protect it against security threats, data loss and malicious activities.
So what would it take for your organization to go a step further and differentiate itself from market competitors by offering a SOC 3 report? From an audit procedure perspective, it literally takes nothing from you, since the description of the system to be presented in a SOC 3 report would be taken out directly from a SOC 2 report by your service auditors. Since a SOC 3 report is intended for a general audience, it would feature just enough information on the system description to allow a general audience to understand how the system operates and how it’s protected against common threats. However, a SOC 3 report would exclude often sensitive and technical descriptions of the auditor’s control testing and the results of those tests, as that information would only be needed to be shared with a limited audience that uses and relies on the system extensively for their daily operations.
Since a SOC 3 report presents the same areas of focus as a SOC 2 report but in a much more condensed manner, it offers a great marketing opportunity for organizations to demonstrate their commitments to security, availability, processing integrity, confidentiality or privacy in a very concise form that can be shared and easily digested by a general audience with a wide range of technical knowledge.
If you believe your organization can benefit from a SOC 3 report and its marketing reach, our team at Wipfli would love to sit down and help you learn more. We can take you through how a SOC 3 report can make an impact for your organization and what steps you would need to take to embark on the mission toward obtaining one. Click here to learn more, or continue reading on:
Do I need a SOC exam? And do I need more than one?
