A SOC 3 report is essentially a scaled down version of a SOC 2 report. Like a SOC 2 report, a SOC 3 report is prepared in accordance with the AT Section 101 attest standard and uses the predefined criteria in Trust Service Principles and Criteria.

The primary difference between a SOC 2 and a SOC 3 report is that a SOC 3 report does not include a description of the service organization’s system nor does it contain any information on testing. It merely provides the auditor’s opinion on whether the service organization maintains effective controls over its systems.

SOC 3 reports are intended for general use — they can be freely distributed and can be publicly promoted with the AICPA SOC 3 seal on a service organization’s website. As such, this makes SOC 3 reports the ideal marketing tool to demonstrate to current and prospective customers that a service organization has the appropriate controls in place to mitigate risks related to the security, availability, privacy and confidentiality of customer information being processed. In the case of Internet retailers and affiliate companies who sell goods and services on behalf of the Internet retailer and use the Internet retailer’s transaction processing systems to do so, the affiliate company can utilize the Internet retailer’s SOC 3 report to address the concerns of current and prospective customers with regard to the security and privacy of their information.