Definition and purpose

The purpose of a SOC 3 report is to provide a more concise and high-level version of a SOC 2 Type II report. SOC 3 is intended for public consumption and can be posted on the organization’s website or distributed freely in another way to customers and prospects to demonstrate their commitment to data security.

While a SOC 3 report contains an opinion on the operating effectiveness of controls, it does not include a detailed description of tests of controls performed by the service auditor and the results of those tests. This is what makes it appropriate for a general audience that does not have the need for or the knowledge necessary to make effective use of a SOC 2 report.

Governing Body

SOC 3 is part of a suite of services created and maintained by the American Institute of Certified Public Accountants (AICPA). AICPA provides guidance on how SOC 3 reports should be conducted, what should be included, and the criteria against which the controls are assessed.

Last updated

SOC 3 was released in 2010 under the Statement on Standards for Attestation Engagement (SSAE 16). The last major update to SOC 3 occurred in 2016, with the introduction of SSAE 18, which replaced SSAE 16.

Documents related to SOC 3 have also been updated in recent years. Most notably, the AICPA released revised Trust Services Criteria in 2017 (which are the framework against which a SOC 2 and 3 evaluation is made) and revised points of focus for those criteria in 2022, which affected the service auditor’s opinion in SOC 2 and 3 reports.

Applies to

SOC 3 reports can apply to service organizations in various industries that process and store customer data. They can be particularly useful to service organizations that provide services directly to consumers (B2C) or to businesses and consumers (B2B2C) that need to provide prospects and customers with assurance of their controls related to security, availability, processing integrity, confidentiality, and privacy.

Controls and requirements

A SOC 3 report evaluates the design and operating effectiveness of controls necessary to meet the applicable trust services criteria (TSC). The five TSC are security, availability, processing integrity, confidentiality, and privacy. Security is the only required TSC.

The trust services criteria do not prescribe specific controls for any organization. The controls that a service organization puts in place depends on the risks that may prevent them from achieving their service commitments and system requirements, the number of TSC included in their audit, and the complexity of their infrastructure and organization. They typically cover the following areas:

• Information security
• Logical and physical access controls
• System operations
• Change management
• Risk mitigation

Please refer to the AICPA website for official resources related to SOC 3 controls and requirements.

Audit type, frequency, and duration

• Audit Type: To obtain a SOC 3 report, organizations must undergo an audit by a CPA, which involves rigorous testing of the organization’s controls relevant to security, availability, processing integrity, confidentiality, or privacy.
• Audit Frequency: SOC 3 examinations are often conducted annually to provide ongoing assurance to stakeholders.
• Audit Duration: The duration of a SOC 3 audit can vary depending on the scope of the audit and the complexity of the service organization's infrastructure and operations. It typically ranges from a few weeks to a few months.