What is the SOC 3 Report?
A SOC 3 report is a publicly available summary of a service organization’s controls over security, availability, processing integrity, confidentiality, and privacy, providing assurance to a wide audience about their data protection practices.
The SOC 3 report, similar to SOC 2, provides interested parties with a service auditor’s opinion about the effectiveness of controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
While the SOC 3 is similar to a SOC 2 report in the subject matter included, it is the report that differs. A SOC 3 report does not include the specific controls in place, testing procedures, or test results, and the narrative system description is significantly condensed to a description of services offered. Additionally, the report contains a condensed independent auditor’s opinion, management’s assertion, and system description. The SOC 3 report is permitted to be freely distributed and posted on your website.
No additional work is required on your end if you already have a SOC 2 Type 2 examination. This additional deliverable can be added at the same time as a SOC 2 Type 2 report. If you already have a SOC 2 Type 2 examination, no further effort is needed on your part. This additional deliverable can be incorporated.
SOC Report Services
There’s a lot to know about SOC 1, SOC 2, and SOC 3 reports. If you have interest in learning more about SOC 1 and SOC 2, information on how to read and understand a SOC report, or are looking to get started on partnering with a licensed CPA firm, GBQ can help.