The SOC 2 report and SOC 3 report were developed by the AICPA and continue to be the gold standard for SOC reporting on controls at a third-party service provider.
What Is A SOC 3 Report?
A SOC 3 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy. We outline the details of a SOC 2 compliance audit here.
SOC 2 vs. SOC 3 Report Similarities
Before we dive into differences, let’s start with how they are similar. From an auditing perspective, System and Organization Controls (SOC) 2 and SOC 3 audit examinations are nearly identical in that they both are conducted in accordance with the same standards (AT-C Sections 105 and AT-C Section 205) and guidance (SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy). Both reporting frameworks cover the same subject matter and they are based on the five Trust Services Principles (TSP) (security, confidentiality, availability, privacy and processing integrity). In fact, a SOC 3 report cannot be generated without first executing the steps necessary to complete a SOC 2 examination.
Difference Between SOC 2 and SOC 3 Compliance
Where SOC 2 audit report and SOC 3 audit report examinations differ is in the reporting. Specifically, they vary in use of the report and level of detail contained in the description. The driving force behind the differences between the two reports begins with the intended distribution of the report. A SOC 2 report is a restricted use report that is solely intended for the user entities, management of the service organization, and other specified parties. Meanwhile, a SOC 3 report is a general use report that is freely distributed to the public and is intended for users that are only interested in a broad overview of the service organizations and the service being provided. In general, a SOC 3 audit report is generally used by service organizations for marketing purposes, while a SOC 2 report is better suited for a service organization to provide their user entities that seek details as to how the service organization is performing in maintaining controls to protect their interests.
A summary of the differences between a SOC 2 and SOC 3 are detailed in the table below:
| SOC 2 | SOC 3 | |
|---|---|---|
| Type I Report | Yes, a SOC 2 Type I report is available for service organizations seeking to report on the fairness of the description and suitability of design of controls. | No, a SOC 3 report can only be completed on the Type II examination. |
| Type II Report | Yes, a SOC 2 Type II report is available for service organizations seeking to report on the fairness of the description, suitability of design of controls, and operational effectiveness of the controls over a period of time. | Although there is no designated Type I or Type II for a SOC 3, a SOC 3 report is required to be performed as a SOC 3 Type II examination. |
| Intended Users of Report | Restricted Use Report – Intended for the service organization’s management, customers, and prospective customers | General Use Report – Intended to be distributed to any individual and/or parties. |
| Report Contents | ||
| Independent Auditors Report | Yes, included. | Yes, included, however, it is brief as compared to the SOC 2 Independent Auditors Report. |
| Management Assertion Letter | Yes, included. | Yes, included. |
| Description | Yes, included. | Yes, included, however, it is significantly less entailed as compared to a SOC 2. Limited details are provided due to the fact that the report is general distribution and is oftentimes made accessible on a service organization’s webpage. |
| Listing of Controls | Yes, included. | No, a listing of controls is not provided. In fact, the description should also include limited control details. |
| Listing of Tests of Operational Effectiveness | Yes, included in a SOC 2 Type II report only. | No, similar to the fact that controls are not listed, neither are details relating to the tests performed to evaluate the controls. |
Who Can Perform A SOC 2 Audit?
In order to get a SOC 3 audit, you’ll need to engage with an AICPA approved, third-party independent CPA. Withum has a team of SOC specialists that are trained and well-versed in the intricacies of SOC 3 compliance and the needs of our clients. To discuss your SOC report needs with one of Withum’s SOC Specialists, contact us online, or give us a call at(609) 520-1188 and ask for Tony Chapman.
