If your organization provides services as a product — whether you’re a technology firm, a software as a service provider, or any company providing managed services to clients — you should take advantage of a SOC 3 report.
Similar to a SOC 2 report, a SOC 3 report contains an assertion by management that your organization has maintained effective internal controls relevant to one or more of the five Trust Services Principles (security, availability, processing integrity, confidentiality, and privacy).
The difference? While a SOC 3 report covers the same subject matter as a SOC 2 report, it provides a condensed, limited description of a system rather than a detailed description. This limited disclosure means a SOC 3 report can be freely distributed to the public.
Why issue a SOC 3 report?
- There’s no additional work.
For service organizations already issuing a SOC 2 report, there are no additional audit procedures necessary by your service auditor.
- A SOC 3 report can be a vital marketing tool for your organization.
Your customers want to be assured you’re protecting their data and private information. By issuing a SOC 3 report, your clients can easily verify best practices are being followed to guard against security breaches, lost sales, and corrupted data.
- Previous limitations on issuing a SOC 3 report have been removed by the AICPA.
In its previous guidance, the American Institute of Certified Public Accountants (AICPA) suggested a service auditor would be precluded from issuing an unqualified opinion on a SOC 3 report if the following situations occurred:
- A service organization used the services of a subservice organization and employed the carve-out method when developing its description.
- Complementary user-entity controls were significant to achieving the applicable trust services principles.
Because of the nature of outsourcing, most service organizations would have encountered at least one of these situations when developing its SOC reporting. Accordingly, this effectively limited the ability of a service organization to issue a SOC 3 report including an unqualified opinion from its service auditor. With these limitations removed, more service organizations can now issue a SOC 3 report.
If you’re not issuing a SOC 3 report, take advantage of this opportunity, but remember to make the report easily accessible to your clients. Post it clearly on your website, and make it readily available to anyone who inquires. It can’t be used as a marketing tool if no one knows it exists.