Heard about SOC 3 and SysTrust | WebTrust, commonly known as the “Trust Services”? If not, you are about to start seeing SOC 3 reports surface, due in large part to the American Institute of Certified Public Accountants (AICPA) extensive efforts in reshaping service organization reporting. In short, the SAS 70 auditing standard is being replaced by SSAE 16, a new attestation standard, which is part of the new AICPA Service Organization Control (SOC) reporting framework, of which SSAE 16 falls under SOC 1 reporting.
So, back to SOC 3, which is an attempt by the AICPA to have service organizations that are involved in e-commerce, e-business, and other supporting I.T. activities utilize this (SOC 3) reporting platform (or quite possibly SOC 2, which I’ll speak about in another post) as evidence of an organization’s commitment to having in place a secure system, which would be validated against the main principles and criteria of SysTrust and WebTrust, which are that of Security, Availability, Processing Integrity, Confidentiality, and Privacy.
It will be interesting to see how the entire SOC framework plays out and what reporting options will be utilized. For simplicity, here is how the Service Organization Control (SOC) reporting framework is broken down:
SOC 1-Will use SSAE 16 as the professional Standard
SOC 2-Will use AT Section 101 as the professional Standard
SOC 3-Will rely on the SysTrust and WebTrust Principles and Criteria (Trust Services)