SYSTEM AND ORGANIZATION CONTROLS REPORT SOC-3
Trust Services (including WebTrust and SysTrust) are audits that were specifically designed for companies looking for independent assurance related to Information Systems and e-Commerce activities. The Assurance Services Executive Committee of the AICPA has developed \ criteria to provide guidance over reporting on the security, availability, processing integrity, privacy, and confidentiality of systems. SOC 3 reports are Trust Service examination reports. They address the same subject areas as a SOC 2 report, but, in a shortened version that can be used in a service organization’s promotional efforts and on its website. SOC 3 reports can serve as a marketing tool, with potential customers for instance, to show the organization has appropriate controls in place to mitigate risks on non-financial subject matters.
The Benefits of a SOC 3 Report
When your service organization obtains a SOC 3 report, it enhances the confidence among sellers and buyers alike. These customers and stakeholders gain confidence and place trust in your organization and its systems. This document allows you to reduce risk and provide assurance to the management and boards that need confirmation. The SOC 3 also provides a competitive advantage by giving your company independent verification by trusted professionals.
TRUST SERVICES PRINCIPLES SCOPING CONSIDERATIONS
SOC 3 framework utilizes the Trust Services Principles. The Trust Services Principles consist of the five specific principles noted below:
​
-
Security
-
Availability
-
Processing Integrity
-
Confidentiality
-
Privacy
The Benefits of a SOC 3 Report
The trust services principle and the criteria is evaluated in the following categories of security, availability, processing integrity, and confidentiality are organized in four broad areas, across all principles:
​
Policies:
The entity has defined and documented its policies relevant to the particular principle.
​
Communications:
The entity has communicated its defined policies to responsible parties and authorized users of the system.
​
Procedures:
The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.
Monitoring:
The entity monitors the system and takes action to maintain compliance with its defined policies.