SOC 3 Reports

SOC 3 Report – SOC for Service Organizations: Trust Services Criteria for General Use Report

A SOC 3 report is essentially a scaled down version of a SOC 2 report. Like a SOC 2 report, a SOC 3 report is prepared in accordance with the AT Section 101 attest standard and uses the predefined criteria in Trust Service Principles and Criteria. The primary difference between a SOC 2 and a SOC 3 report is that a SOC 3 report does not include a description of the service organization’s system nor does it contain any information on testing. It merely provides the auditor’s opinion on whether the service organization maintains effective controls over its systems. 

Purpose and Intended Audience

SOC 3 reports are intended for general use — they can be freely distributed and can be publicly promoted with the AICPA SOC 3 seal on an organization’s website. As such, this makes SOC 3 reports the ideal marketing tool to demonstrate to current and prospective customers that an organization has the appropriate controls in place to mitigate risks related to the security, availability, privacy and confidentiality of customer information being processed. In the case of Internet retailers and affiliate companies who sell goods and services on behalf of the Internet retailer and use the Internet retailer’s transaction processing systems to do so, the affiliate company can utilize the Internet retailer’s SOC 3 report to address the concerns of current and prospective customers with regard to the security and privacy of their information. 

MORE INFORMATION

The practitioners at MFA are well-versed in assessing a firm’s internal controls and providing proactive guidance in this area. To learn more about our SOC 3 examinations, please contact the MFA team today.

 

 

AICPA SOC Report

RELATED TEAM MEMBERS

Michelle Kupka Audit Partner (978) 557-5342
Michelle Mackey Partner – Performance & Controls Practice (978) 569-2909

DOWNLOAD BROCHURE

Contact Us
Message
Back

Help Us Build You A Better Web Experience

Click Here