Service Organization Control Series Part III: Basics of SOC 3

SOC 3 Basics

A Service Organization Control (SOC) report is an internal control report that allows an organization to assess the risks associated with outsourcing. The new framework for SOC reporting presented SOC 3 report, which will show whether or not a service organization attained any of the Trust Service Principles and Criteria.

Trust Service Principles are concentrated on e-commerce system due to the fact that massive amount of information that regularly circulate on the internet. The said information is either confidential or related to finances. Reports that are derived from trust principles are known as WebTrust, which can be classified as WebTrust, WebTrust Online Privacy, WebTrust Consumer Protection, and WebTrust for Certification Authorities. Furthermore SysTrust, which covers security, availability, processing integrity, and confidentiality, also falls under the aforementioned class.

Purpose of Service Organization Control 3

According to the Second Volume of ISACA Journal published in 2011, Service Organization Control 3 report is designed to address the users’ need for assurance regarding the service organization’s controls such as confidentiality, availability, processing integrity, security, and privacy, but it is silent  on how to effectively use SOC 2.  In addition, non-financial controls that are pertinent to the service organization’s compliance and operations are reported in SOC 3.

Scope of Service Organization Control 3

Service Organization Control 3 reports are performed under AT 101, Attestation Engagements, and the AICPA Technical Practice Aid, Trust Services Principles, Criteria, and Illustrations. These reports cover the criteria laid out by the AICPA, including the five key control domains. After a detailed examination of these criteria by an auditor, he/she will generate a general summary that will indicate if the service agency has achieved the required measures. For example, if an auditor will assess the processing integrity of the controls of a service organization, he/she  will test the timeliness, accuracy, completeness, and authorization of system inputs and outputs. The processing integrity report that will be produced thereof will give the user entity information on the quality of processing that they would otherwise not be able to acquire from simple monitoring.

Service Organization Control 3 vs. Service Organization Control 2

In a manner that is similar to a Service Organization Control 2 report, the primary focus of a Service Organization Control 3 report is on controls that are related to any of the Trust Services Principles. What makes SOC 3 different from SOC 2 is the fact that a comprehensive description of the auditor’s test of controls, the outcome of these tests, and the service auditor’s opinion on the description of the service organization’s system are included on SOC 2 reports. On the contrary, SOC 3 reports only contain the auditor’s report regarding the system’s adherence to the trust services criteria. Furthermore, SOC 3 reports have less detailed information of the inner workings of the organization.

In terms of target audience, owing to the fact that it is a general-use report, SOC 3 reports are made available to the public and can be utilized as a marketing tool (e.g. posting the AICPA SOC 3 seal on the webpage of the service organization).

Elements of a Service Organization Control 3 Report

As stated previously, Service Organization Control 3 reports contain the service auditor’s report. Supposing that the report addresses the privacy principle, an attestation from the service auditor about the service organization’s compliance with the commitments in its privacy practices will be incorporated into the SOC 3 report.

Benefits and Drawbacks of Service Organization Control 3

With Service Organization Control 3 reports, users do not have to absorb pages of comprehensive and thorough control descriptions, and test procedures. However, carving out important subservice providers is not allowed under SOC 3.

Displaying the AICPA SOC 3 seal is probably the most attractive feature of SOC 3. However, the service provider has to meet all of the Criteria. If this is not the case,then the service provider cannot advertise its SOC 3 seal until the point(s) in question is/are rectified and re-audited.