SOC 3: General Use Report on Controls Relevant to Security, Availability and More

Many entities function more efficiently and profitably by outsourcing tasks or entire functions to other organizations that have the personnel, expertise, equipment, or technology to accomplish these tasks or functions.  Examples of the services provided by such service organizations are as follows: 

  • Customer support – online or telephonic post-sales support and service management
  • Sales force automation – providing and maintaining software to automate business tasks for user entities that have a sales force
  • Health care claims management and processing – providing medical providers, employers, third-party administrators, and insured parties of employers with systems that enable medical records and related health insurance claims to be processed accurately, securely, and confidentiality
  • Managed security – managing access to networks and computing systems for user entities

SOC 3 reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report.  SOC 3 reports are a general use report and can be freely distributed.  These reporting engagements are performed under the Attestation Standards (AT-C) Section 105 and 205, and the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. 

About SOC 3

SOC 3 reports allow many organizations to issue a report to share less detailed information about their operational controls with a broader group of stakeholders, which can be used for marketing and sales efforts.  A SOC 3 report provides an opinion and management’s assertion on the organization’s system and controls related to information technology and data security.  It supplies the service organization the opportunity to advertise their processes and controls have been examined by a CPA against any or all of the five Trust Services Criteria.  

Trust Services Criteria

The Trust Services Criteria includes criteria for evaluating controls related to security, availability, processing integrity, confidentiality, and privacy.  Additional information about each of the criteria is included below. 

  • Security – The system is protected against unauthorized access, use, or modification. 
  • Availability – The system is available for operation and use as committed or agreed. 
  • Processing Integrity – System processing is complete, valid, accurate, timely, and authorized. 
  • Confidentiality – Information designated as confidential is protected as committed or agreed. 
  • Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA.  

Our Approach to Performing SOC 3 Engagements 

Choosing Smith & Howard as your partner in completing a SOC 3 engagement benefits your service organization by: 

  • Documenting your internal control environment and controls.
  • Providing confidence to users of the system.
  • Allowing you to meet regulatory and contractual requirements with users.

Our SOC Team has been trained specifically to perform SOC engagements and have the experience, knowledge, and skill to ensure your SOC engagement is a seamless and efficient process.  

For more information about SOC 3 engagements, please complete the contact form on this page or contact Marvin Willis or Debbie McGlaun at 404-874-6244.  

Related News and Media

Questions? Contact Us

With real-world CFO experience on our team, we bring a true understanding of the issues C-level executives face.

J. Sean Spitzer

Partner