Skip to main content
All CollectionsTrust Assets
SOC 3 Reports Explained
SOC 3 Reports Explained

The what, when, and why of a SOC 3 Report

Stephanie Lorraine avatar
Written by Stephanie Lorraine
Updated over a week ago

What is a SOC 3 Report?

The SOC 3 report, prepared by a third-party auditor, is based on the AICPA (American Institute of Certified Public Accountants) Trust Services Principles, which assess five criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. As with SOC 2, Security is mandatory. You can choose to add any relevant TSCs to your SOC 3 just as you would for your SOC 2 audit.

The main objective of a SOC 3 Audit Report is to demonstrate the strength of an organization’s internal controls. It’s a less-detailed and more public-facing version of the SOC 2 Type 2 report that omits confidential information and therefore can be shared more freely than a SOC 2 report.

The SOC 3 Report includes four sections:

  • Service Organization Management’s Assertion

  • Independent Service Auditor’s Report

    • This speaks to the commitment the audited company has made to having a strong security posture.

  • Description of the Boundaries of Service Organization’s System

  • Principal Service Commitments and System Requirements

    • Map between controls that were tested and the security requirements outlined by the AICPA

When should I get a SOC 3 Report?

If you want to obtain a SOC 3 report for your organization, it’s important to know where your organization stands with your SOC 2 Type 2 compliance. It is best to receive a SOC 3 Report at the same time you are pursuing your SOC 2 Type 2. You cannot receive a SOC 3 Report with a SOC 2 Type 1.

Are you getting ready to achieve a SOC 2 Type 2 report?

This is a great time to add a SOC 3 report to your upcoming SOC 2 Type 2 audit. Both a SOC 2 Type 2 and a SOC 3 require the same information for an auditor so it is most efficient to achieve them simultaneously.

Why should I get a SOC 3 Report?

If your organization is looking for an easy way to share your compliance status publicly, a SOC 3 report will be a great add-on. A SOC 3 report is designed to instill confidence in your organization without sharing the same level of detail as a SOC 2 Type 2 report so there is no need to reserve its contents for customers or select prospects. This opens the door for your organization to use your SOC 3 in marketing materials and even publish the report on your website.

For more guidance, reach out through our chat feature for real-time Customer Success support 8 am - 5 pm PT Monday through Friday.

Did this answer your question?