SOC 2 and SOC 3: What’s the Difference?

Over the last decade, companies have increasingly looked to outsourcing as a way of reducing costs and improving inefficiencies. In addition to outsourcing in general, the increase in outsourcing of software as service and other cloud based technologies has skyrocketed over the last 10 years. Those increases in outsourcing have also increased the need for auditor reporting at service organizations to appropriately ensure that these service providers have adequate internal controls in place over their systems. The increased use of service organizations has also increased the demand for Service Organizations Controls (“SOC”) examinations. Service organizations who provide software as a service, platform as a service, data hosting, and other cloud based technologies are often asked to provide their customers with a SOC 2 or a SOC 3 report. As these requests from customers for these reports become more frequent, it can often become confusing as to which report you should be providing as well as which report will be more useful for the Service Organization.

SOC 2 and SOC 3 Background

SOC 2 and SOC 3 reports are conducted in accordance with AT Section 101 and utilize the AIPCA audit guide. SOC 2 and SOC 3 examinations are used for service organizations that are reporting on controls that are not deemed to be relevant to the user entity’s internal control over financial reporting. SOC 2 and SOC 3 reports are attestation examinations that require the service organization’s controls meet the specified Trust Service Principles as defined by the AICPA. The AICPA has defined five separate trust services principles: Security, Availability, Processing Integrity, Confidentiality, or Privacy. The AIPCA has also set forth specific trust services criteria within each principle for which the service organization’s controls must meet in order to satisfy the principle. Service Organizations receiving a SOC 2 or SOC 3 can determine the scope of their SOC report by determining the trust principles that apply to them based on the services provided to their customers.

SOC 2 vs. SOC 3

The SOC 2 and SOC 3 examinations rely on the service organization designing and operating their controls to meet the Trust Services Principles of Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because both reports are required to meet the same trust services requirements, the work performed by the auditor during the examination is very similar; however, the primary difference between the SOC 2 and SOC 3 relates to reporting.

A SOC 2 examination is a restricted-to-use report, which essentially means the report is restricted to use to the service organization’s management, customers, and prospective customers. In addition, the SOC 2 report includes an auditor’s opinion, management’s assertion, a full description of the system as well as the service organizations’ controls, and the results of the auditor’s tests of those controls. The typical SOC 2 report includes substantial detail specifically related to which controls are in place at the service organization as well as how those controls were tested by the auditor.

A SOC 3 report on the other hand is a general use report that can be distributed to any party or parties. In addition, the report is much smaller in size and consists of a brief auditor’s opinion, management assertion, and a brief narrative providing background on the service organization. The SOC 3 report contains very little detail on the specific controls operating within the service organization since the report can be distributed on the service organization’s webpage.

Service organizations continue to get increasing requests for SOC 2 and SOC 3 reports and the question often arises as to which examination and report they should have performed to satisfy all the requests. The answer to this question is really on a case by case basis; however, the audit work that is performed for both SOC 2 and SOC 3 is essentially the same since both examinations are reporting on the company’s internal controls specific to the Trust Service Principles. Service organizations also have the option of having both reports since the audit work performed is the same with the only differences being the structure of the two reports, which generally only results in a marginal cost increase to the company. Prior to determining the appropriate report, service organizations should determine whether they would like a general use report that they can provide to a wide array of potential customers online, whether they would prefer a restricted use report that is provided to a limited range of customers, or potentially both reports.

For more information concerning SOC 2 or SOC 3 examinations and readiness assessment services provided by McKonly & Asbury, LLP please contact our team.