What are SOC 2 and SOC 3 Reports?

Service organizations may also obtain audits of specific defined control criteria that meet customer requirements beyond that of a SOC 1 report. SOC refers to the Systems and Organization Control 1, 2 and 3 reports released by the American Institute of Certified Public Accountants (AICPA).

The SSAE 18 serves as the guidance for the issuance of SOC 1 reports. The SOC 2 and SOC 3 audits are performed under the guidelines of AT 101.

Here is what you need to know about these reports:

  • SOC 2 and SOC 3 reports specifically address risks around the following five Trust Principles (SysTrust and WebTrust principles):
    • Security
    • Availability
    • Processing Integrity
    • Confidentiality
    • Privacy
  • These reports may include one or all of the Trust Principles
  • Each Trust Principle has defined criteria (i.e. requirements) that must be satisfied
  • Requirements for the SOC 2 and SOC 3 reports are defined by the AICPA
  • The SOC 2 report is intended for limited distribution to knowledgeable parties, and can be issued as a Type I or Type II report
  • The SOC 3 report results in the issuance of an opinion only. This report does not include a description of controls or tests performed

Related insights:

Was this helpful? Share to your network.

Article Category: