There are some close similarities in Service Organization Control (SOC) attestation documents, particularly between SOC 2 and SOC 3 reports, that focus on an organization’s controls in areas such as operations and compliance. Both are performed in accordance with AT Section 101: Attest Engagements, both are ideally suited for financial services, health care and other technology-based entities heavily reliant on cloud computing and online systems, and both must include one or more of the following trust services principles:
- Security. This means that systems are protected against unauthorized access, use or modification, in accordance with the organization’s business commitments and system requirements.
- Availability. This means the organization’s system is readily available for operation and use.
- Processing integrity. This means that the organization’s system processing has been found to be accurate, complete, timely and valid.
- Confidentiality. This means that the organization’s confidential information is protected.
- Privacy. This means all personal information is collected, used, retained, disclosed and destroyed within the boundaries of the organization’s business commitments and system requirements.
However, there are also important distinctions between these reports. For example, a SOC 3 report is focused specifically on a service auditor’s opinion on whether the organization maintained operating effectiveness over the selected trust services principles. Another key difference between the reports is the intended audience. Because a SOC 3 report contains only the service auditor’s opinion letter, it can be published on the organization’s web site or otherwise distributed without restrictions. On the other hand, since SOC 2 reports include detailed descriptions of the service auditor’s control tests and results, distribution of that report is generally restricted to key stakeholders, such as customers, regulators, suppliers or directors.
Please contact us for more information on SOC reports or other business accounting issues.
May 9, 2017