The AICPA and CPA Canada (formerly Canadian Institute of Chartered Accountants) decided in October 2014 to discontinue the SysTrust and SOC 3 SysTrust for Service Organizations seal programs. This news may affect service organizations that had obtained or planned to obtain a SOC 3 report.
About SOC 3 Reports
The SOC 3 is a general-use report obtained by service organizations who want to demonstrate their internal controls compliance with the defined trust service principles around security, availability, processing integrity, confidentiality and/or privacy. The SOC 3 provides a certified auditor’s report on whether the system achieved the related trust services criteria.
SOC 2 reports are similar and cover the same trust service principles; however, SOC 2 reports require restricted distribution of the report and provide detailed descriptions of the environment, control test procedures and results in the report. These attributes are not included in SOC 3 reports.
Prior to 2015, when a SOC 3 report was issued to a service organization by a CPA firm, the service organization could display a SOC 3 SysTrust for Service Organizations seal on their website. This seal would link to a copy of the SOC 3 opinion. Since the seal program was discontinued, organizations should no longer post the seal since it is not supported by the AICPA or CPA Canada.
So, no SOC 3?
This is not to say that SOC 3 reports have been discontinued or have no place. Service organizations may instead use the SOC logo available for SOC 1 and SOC 2 reports in place of the seal. Additionally, the SOC 3 report and its opinion can still be widely distributed to customers, potential customers, etc., and the report can still be posted on a service organization’s website.