What are SOC 2 and SOC 3 Reports?

SSAE18 & SOC | May 10, 2017 | Holtzman Partners

Service organizations may also obtain audits of specific defined control criteria that meet customer requirements beyond that of an SOC 1 report.

SOC refers to the Systems and Organization Control 1, 2 and 3 reports released by the American Institute of Certified Public Accountants (AICPA).

The SSAE 18 serves as the guidance for the issuance of SOC 1 reports. The SOC 2 and 3 audits are performed under the guidelines of AT 101.

Here is what you need to know about SOC 2 and SOC 3 reports:

  • SOC 2 and SOC 3 reports specifically address risks around the following five Trust Principles (SysTrust and WebTrust principles):
    • Security
    • Availability
    • Processing Integrity
    • Confidentiality
    • Privacy
  • These reports may include one or all of the Trust Principles
  • Each Trust Principle has defined criteria (i.e. requirements) that must be satisfied
  • Requirements for the SOC 2 and SOC 3 reports are defined by the AICPA
  • The SOC 2 report is intended for limited distribution to knowledgeable parties
  • A SOC 2 report can be issued as a Type I or Type II report
  • The SOC 3 report results in the issuance of an opinion only. This report does not include a description of controls or tests performed.

Our team provides the technical experience and industry depth that your team can trust.