SOC 3 – Type I and II
SOC Reporting – When to Choose a SOC 3 Report
If you are new to SOC reporting processes, it’s important to understand the difference between the various types of attestation standards. SOC 3 audits are designed to be presented and available to the public, but the basis of the audit is still the AICPA’s Trust Services Principles. The best way to think about a SOC 3 report is as a SOC 2 audit without the detailed, highly technical report.
Similar to a SOC 2, a SOC 3 audit is based on the Trust Services Principles from the AICPA, which could include security, availability, confidentiality, processing integrity and privacy. These audits are not designed for entities that process financial transactions but rather for businesses that are focused on providing services such as managed security or co-location services as well as entities that hold significant third-party data but do not process financial transactions.
Offering a Full Suite of SOC Reporting Services
SOC 3 reports also comes in two types: Type I and Type II. Type I reports are approached from one “point in time,” whereas Type II reports are framed over a “period of time.” Type II reports are the most common.
At PKM, we have provided third-party service provider examination (SOC and its predecessor SAS 70) services since 1997. We have built a team to serve companies that count their clients as some of the largest financial service companies in the United States. Our goal is to add value to your business by reducing risk and increasing long-term value. It’s what we do every day.