The best time to get a SOC 3 audit is…when you’re getting a SOC 2 audit. Because the audits are one and the same.
Why, then, are there two kinds of reports? Because there are two kinds of audiences for them: internal and external. The essential difference between SOC 2 and SOC 3 lies not in the audit, but in the nature of the SOC report and how the findings are used. The same audit can produce either type of report, or both, and being compliant with SOC 2 means you also achieve SOC 3 compliance. How efficient is that?
Service organizations generally get a SOC 2/3 audit to ensure that the data they process for their clients—referred to as “user entities” by the American Institute of Certified Public Accountants (AICPA)—is secure and private.
Is mine a service organization?
The AICPA established System and Organization Controls for Service Organizations 2 and 3 (formerly known as Service Organization Controls 2 and 3) to provide auditors with criteria for testing controls relevant to data privacy and security at service organizations.
If yours is a service organization, i.e. an organization that performs a service for other organizations or “user entities,” you may need a SOC 2/3 audit. If your organization handles data that belongs to those user entities, you definitely need this audit: SOC 2/3 is the standard for demonstrating a commitment to data security and privacy, and certification is crucial in the business world today.
Examples of service organizations include:
- Data centers
- Cloud computing services
- Software as a Service providers
- Credit card processors
- Internet service providers
- IT security management
- Financial processing
- Accounting and auditing
- Customer support
- Sales support
- Medical claims processing
- Insurance claims processing
- Human resources
- Data analysis
- Document and records management
- Workflow management
- Customer relationship management (CRM)
- Technology consulting
How does a SOC 2/3 audit differs from a SOC 1 audit?
A SOC 2 or 3 audit report will address your service organization’s internal controls in five “Trust Services Categories”:
- “The security, availability, and processing integrity of the systems the service organization uses to process users’ data,” and
- “The confidentiality and privacy of the information processed by these systems.”
A SOC 1 report uses a different auditing standard: the Statement on Standards for Attestation Engagements No. 18 (SSAE 18, formerly SSAE 16). SOC 1 audits are all about financial reporting, discussing controls that affect your organization’s financial statements. Are the controls well designed? Do they work, helping the organization to meet its financial goals?
If your service organization processes, stores, or transmits data from an external client, you need a SOC 2 audit to ensure that you are handling that data securely. A breach could devastate your business and your bottom line.
Your use of the SOC 2 report is restricted, however. The AICPA stipulates that it is for internal use only—restricted to service organization managers, the user entities with whom they do business, and user-entity auditors.
How companies use SOC 3 findings
SOC 3 reports, on the other hand, can be freely distributed. These reports are shorter, without the technical (and usually confidential) descriptions of the auditor’s control testing and the results of those tests. SOC 3 reports are designed for general use: anyone may read them.
Many organizations use their SOC 3 reports for marketing. Some post them on their website, or offer them to prospective clients and customers as evidence of their commitment to protecting the security and privacy of the data they handle.
Since the audit for SOC 3 is the same as a SOC 2 audit, organizations wanting a SOC 3 report generally request one when they engage the auditor.
One caveat: SOC 2 reports come in two flavors.
- Type 1, often an organization’s first-ever SOC 2 report, looks at controls governing data security and privacy at the time of the audit.
- Type 2 reports discuss the effectiveness of your organization’s information security and privacy controls since your last SOC audit, which typically means one year.
SOC 3 reports, however, are generated only after a Type 2 audit. So if you want to publish or disseminate your SOC report for general consumption, you will need an audit that generates a Type 2 report.