By: Mark Welp, CPA, CFE- H&M Principal
We’re all familiar with the saying, “you have to walk before you can run”.
Occasionally, this saying comes to mind when our team discusses SOC report options with service organizations. Considering a SOC 3 is the shortest among all of the SOC reports, it’s easy to presume this is the route to take; many believe a SOC 3 involves less time and less investment. But the truth is, the summary that is a SOC 3 report cannot be created without the in-depth information shared in a SOC 2 report. In other words, we can’t walk past the SOC 2 and run straight to the SOC 3.
Let’s consider the basics of a SOC 2 report. First, there is the SOC 2 Type I report, which evaluates the accurate presentation of management’s description of the service organization’s system in addition to the suitability of the design of the controls to meet the applicable trust services criteria as of a specified date. The SOC 2 Type II report presents the information found in a Type I, but focuses on the effectiveness of the controls to meet the applicable trust services criteria throughout a specified period. A SOC 2 is geared toward parties that are already familiar with the nature of the provided services and controls and have an interest in gaining a better understanding of how the organization’s system interacts with user entities, sub-service organizations, and other third party affiliates. A SOC 2 report illustrates the organization’s internal control capabilities and limitations along with the criteria and how the controls address those criteria. Ultimately, an-depth SOC 2 report enables customers and/or stakeholders to gain confidence and place trust in your company.
Our team leverages the in-depth information provided in the SOC 2 report to produce a SOC 3 report. In essence, a SOC 3 is fashioned as a summary of sorts. It is a condensed version of a SOC 2 that a service organization can use as a promotional tool and readily share with others.
Consequently, one can’t simply cut to chase as far as SOC reports are concerned – a SOC 2 report must precede a SOC 3. Naturally, having both reports available empowers your organization to provide assurance to those you already work with and those you hope to work with in the future.
For more information about our SOC services, please contact us today. We would be happy to assist you.