SOC 3®: System and Organization Controls (SOC) for Service Organizations: Trust Services Criteria for General Use Report – WebTrust and SysTrust
These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed.
Trust Services examinations, commonly known as SOC 3® examinations, are WebTrust / SysTrust engagements based on a core set of principles and criteria that addresses the risk and opportunities of IT-enabled systems and privacy systems for Service Organizations. When a Service Auditor’s report, such as a SOC 1® or SOC 2® is not an appropriate method for communicating your company’s controls over certain information technology objectives, a Trust Services (WebTrust / SysTrust) – SOC 3 report may be utilized.
Trust Services (WebTrust / SysTrust) – SOC® 3 attest services are a set of principles and criteria defined by the AICPA and the CICA. A Service Auditor provides assurance that the company’s controls over a defined system meet all the applicable Trust Services Principles and criteria. SOC 3® reports contain a brief unaudited system description and the Service Auditor’s opinion on whether the system complied with all the applicable Trust Services Principles and criteria.
A Trust Services (WebTrust / SysTrust) – SOC 3® report helps differentiate your organization from your competitors by demonstrating to stakeholders that your company is attune and aware of the risks associated with outsourcing services and that your company has addressed those risks. The potential recipients of SOC 3® report are: consumers, business partners, creditors, bankers, regulators and outsourcers.
For More Information Speak to a Service Auditor at Roosa CPA, LLC (877) 410-8516
More Info
SOC 3® Report
- Obtain third party validation against all the applicable Trust Services Principles and criteria (Security, Availability, Processing Integrity, Confidentiality and Privacy) throughout the specified 12 month period resulting in a SOC 3® seal and report for general use.
- A SOC 3® report is a general-use report, which means that management of the Service Organization may provide or distribute the report to anyone.
- Service Organizations that are in compliance with all the applicable Trust Services Principles and criteria may receive a license to display the SOC 3® / SysTrust seal on their website. The seal links to a copy of the independent Service Auditor’s report and is valid for one year, after which the re-certification must be performed.
- Service Organizations that are in compliance with all the applicable Trust Services Principles and criteria may receive a license to display the SOC 3® / WebTrust seal on their website. The WebTrust certification or WebTrust seal, is a unique seal of assurance that was developed by the AICPA and CICA in order to diminish the barriers of eCommerce by assuring online customers that the company they are purchasing products online from are adhering to the standard business and information practices and disclosures. A WebTrust certification is awarded to websites that complies with the WebTrust Principles and criteria. A website visitor can view the WebTrust certification and WebTrust Audit Report by clicking on the WebTrust seal.
Areas of Examination
The scope of principles and related criteria (Trust Services Principles) has been developed by the AICPA and the CICA, and are used by CPA practitioners in the performance of SOC 3® engagements. A Service Organization is evaluated under all the following Trust Services Principles and criteria for a SOC 3® examination/report:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, timely and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with commitments in the organization’s privacy notice and with criteria set forth in generally accepted privacy principle issued by the AICPA and CICA.
The Trust Services Principles and criteria of Security, Availability, Processing Integrity and Confidentiality are organized in four broad areas:
- Policies – The organization has defined and documented its policies relevant to the particular principle.
- Communications – The organization has communicated its defined policies to responsible parties and authorized users of the system.
- Procedures – The organization placed in operation procedures to achieve its objectives in accordance with its defined policies.
- Monitoring – The organization monitors the system and takes action to maintain compliance with its defined policies.
Time and Expense
Service Organizations are examined under the same list of controls for a SOC 3® but each company can vary depending on the type of services they perform for their customers and the controls they manage. We have years of experience working with just about every industry and work with our clients to ensure that we cover the appropriate scope to ensure your customers’ needs are satisfied.
- The typical audit for the first year will require 4 to 6 weeks of resources to complete a SOC 3® audit, 1 to 2 of those weeks we will be onsite to conduct the site visit.
- During the audit process you will have a dedicated Compliance Specialist available to answer questions and the owner is involved throughout the process.
- Call a Compliance Specialist at Roosa CPA, LLC (877) 410-8516 today for a free quote.