What is the Relationship
Between SOC 2 and SOC 3?
Guidance for accountants reporting on controls of a service organization relevant to the financial reporting of user organizations was primarily included in SAS 70. This regulation focused on risks related to financial reporting. However, it was often misused for reporting on operations or compliance. The SSAE 16 and ISAE 3402 regulations were established to address these issues.
The AICPA identifies three types of Service Organization Control Reports (SOC): SOC 1 (ISAE 3402 and SSAE 16), SOC 2 (Security, Availability, Processing Integrity, Confidentiality, and Privacy), and SOC 3 (a SysTrust for Service Organizations).
For SOC 3, the AICPA has developed a standard logo.
By offering three types of reports that better meet market needs, the AICPA has effectively addressed several issues that existed with SAS 70.