Basics of SOC 3

A SOC report is an internal control report that allows an organization to assess the risks
associated with outsourcing. The new framework for SOC reporting presented SOC 3 report which will
show whether or not a service organization attained any of the Trust Service Principles and Criteria.

Because of the massive amount of information that are either confidential or related to finances
and circulates on the Internet on a regular basis, Trust Service Principles focus on e-commerce systems.
Reports that are derived from trust principles are known as WebTrust, which can be classified as
WebTrust, WebTrust Online Privacy, WebTrust Consumer Protection, and WebTrust for Certification
Authorities; and SysTrust, which covers security, availability, processing integrity, and confidentiality.

Purpose of SOC 3
According to the Second Volume of ISACA Journal published in 2011, SOC 3 report is designed
to address the users’ need for assurance regarding the service organization’s controls such as
confidentiality, availability, processing integrity, security, and privacy, but are not experts or familiar on how
to effectively use SOC 2. In addition, non-financial controls that are pertinent to the service organization’s
compliance and operations are reported on SOC 3.

Scope of SOC 3
SOC 3 reports are performed under AT 101, Attestation Engagements, and the AICPA Technical
Practice Aid, Trust Services Principles, Criteria, and Illustrations. These reports cover the criteria laid out
by the AICPA, including the five key control domains. After a detailed examination of these criteria by an
auditor, he/she will generate a general summary which will show if the service agency has achieved the
required measures. For example, if an auditor will assess the processing integrity of the controls of a
service organization, the auditor will test the timeliness, accuracy, completeness, and authorization of
system inputs and outputs. The processing integrity report that will be produced will give the user entity
information on the quality of processing that they would not be able to gain from simple monitoring.

SOC 3 vs SOC 2
Similar to a SOC 2 report, the primary focus of SOC 3 reports is on controls that are related to
any of the Trust Services Principles. What makes SOC 3 different from SOC 2 is that a comprehensive
description of the auditor’s test of controls, the outcome of these tests, and the service auditor’s opinion
on the description of the service organization’s system are included on SOC 2 reports. On the contrary,
SOC 3 reports only contain the auditor’s report regarding the system’s adherence to the trust services
criteria. Furthermore, SOC 3 reports have less detailed information of the inner workings of the
organization.

In terms of intended audience, being a general-use report, SOC 3 reports are made available to
the public and can be used as a marketing tool (e.g. posting the AICPA SOC 3 seal on the webpage of
the service organization).

Elements of a SOC 3 Report

As stated previously, SOC 3 reports contain the service auditor’s report. Supposing that the report
addresses the privacy principle, an attestation from the service auditor about the service organization’s
compliance with the commitments in its privacy practices will be incorporated on the SOC 3 report.

Benefits and Drawbacks of SOC 3

 With SOC 3 reports, users do not have to absorb pages of comprehensive and thorough control
descriptions, and test procedures. However, carving out important subservice providers are not allowed
on SOC 3.

Displaying the AICPA SOC 3 seal is probably the most attractive feature of SOC 3. Although, the
service provider has to meet all of the Criteria. If not, the service provider cannot advertise its SOC 3 seal
until the point(s) in question is/are rectified and re-audited.