A service organization may wish to provide prospective customers (user entities) with information
regarding the effectiveness of controls over its system. However, the prospective customers may not
have signed a nondisclosure agreement required by the service organization to access the system
description in the SOC 2 report. In other situations, prospective customers may not have sufficient
knowledge about the system, which might cause them to misunderstand the information in the SOC 2
report. In these circumstances, a SOC 3 report, which is designed for general use, may be
appropriate.
Because the procedures performed in a SOC 2 examination are substantially the same as those
performed in a SOC 3 examination, the service organization may ask the service auditor to issue two
reports at the end of the examination: a SOC 2 report to meet the governance needs of its existing
customers and a SOC 3 report to meet the needs of a broader set of users. Because these users may
not have sufficient understanding of the service organization’s system, the disclosure of the service
auditor’s tests performed and results of tests may overshadow the service auditor’s overall opinion or
may cause users to misunderstand the service auditor’s report. As a result, the SOC 3 report includes
only the following elements:
a. An assertion by service organization management about whether the controls were
effective throughout the period to provide reasonable assurance that the service
organization’s service commitments and system requirements were achieved based on the
applicable trust services criteria. As part of that assertion, management describes the
boundaries of the system and the service organization’s principal service commitments and
system requirements.
b. An opinion by the service auditor on management’s assertion about whether controls
within the system were effective throughout the period to provide reasonable assurance that
the service organization’s service commitments and system requirements were achieved
based on the applicable trust services criteria.
There is no type 1 equivalent for a SOC 3 report.
Unlike a SOC 2 report, a SOC 3 report does not include a description of the system, so the detailed
controls within the system are not disclosed. In addition, the SOC 3 report does not include a
description of the service auditor’s tests of controls and the results thereof.
For a SOC 3 examination, the service organization management’s responsibilities are substantially
the same as those for a SOC 2 examination except that management does not prepare a system
description. Although management does not prepare a system description, it does disclose the
boundaries of the system and the service organization’s principal service commitments and system
requirements as part of its written assertion.
Management’s responsibilities during acceptance and planning of a SOC 3 examination include the
following:
- Defining the scope of the examination
- Specifying the principal service commitments made to user entities and the system requirements
needed to operate the system - Identifying and analyzing risks that could prevent the service organization from achieving its
service commitments and system requirements - Designing, implementing, monitoring, and documenting effective controls to provide reasonable
assurance of achieving the service organization’s service commitments and system requirements
based on the applicable trust services criteria - Identifying subservice organizations and determining whether to present them under the inclusive
or carve-out method and, if using the carve-out method, identifying CSOCs
Management’s Assertion
The boundaries of a system addressed by the examination need to be clearly understood, defined, and
communicated to report users. Report users need that information to enable them to understand the
scope of the service auditor’s examination. They also need information about the service
organization’s principal service commitments and system requirements to enable them to understand
how the effectiveness of controls was evaluated based on the applicable trust services criteria.
Disclosures about the boundaries of the system would typically include matters such as the
following:
- The use of CUECs and CSOCs, when those are necessary, in combination with controls at the
service organization, to provide reasonable assurance that the service organization’s service
commitments or system requirements were achieved based on the applicable trust services
criteria - The use of subservice organizations, including whether the subservice organization’s controls are
included in the description of the boundaries of the system and examination or whether they have
been carved out from the description and examination - Any other information that is likely to assist report users in understanding the limitations on the
service auditor’s examination and opinion
Thanks for reading!