Mortgage

SOC 3 – Trust Services Criteria for General Use Report

What is a SOC 3?

Service Organization Control 3 or SOC 3 is an audit framework just like SOC 2 conducted under AT standard 101 and focuses on the trust service principles and criteria. Unlike a SOC 2, a SOC 3 report is for general use and is meant to be shared publicly. Principles covered include:

• Security
• Privacy
• Processing Integrity
• Availability
• Confidentiality

The report should meet the needs of users who require assurance on controls but lack the necessary knowledge to utilize the SOC 2 Report. This certified report is a general use report and thus is openly distributed. It presents the maximal level of assurance and certification of operational excellence that a company collecting and storing data may receive. The absence of a detailed report requires that a SOC 3 be performed as a Type II only.

Governance Model

SOC 3 reports assist the service organizations that use information systems and deliver related services to other entities. The report by an independent Certified Public Accountant (CPA) builds assurance and confidence in these organizations’ service delivery controls and processes. This certification scheme is defined and maintained by the American Institute of Certified Public Accountants (AICPA).

Seal of Approval

The SOC 3 seal is accorded under the SOC 2 standards and is demonstrated on a general-use report. This report presents whether the system achieved the trust services criteria. Details of tests and results or opinions on account of the system are not included in it. SOC 3 report structure includes only:

• Auditor’s opinion
• Management assertion
• Assertion system description (including controls)
• Criteria (referenced)

The auditor’s report and the seal may be displayed on the organization’s website and marketing materials.

What is evaluated by a SOC 3?

Certification targets can include:

• an organization
• A set of business processes
• one or more services
• one or more cloud services

Why is the Report Needed?

To mitigate the risks accompanying the outsourcing data hosting framework, the AICPA suggests that companies compare SOC 3 reports among a wide variety of vendors to create an informed decision before trusting a service organization with the security of their critical data. Firms must ensure that the best practices are being observed by the company to protect against security leaks, damaged data, and lost sales. This is where your report can be an advantage, as it can help service providers provide assurance to the companies that are their customers.

Using the report as a marketing tool

The report may be published on the website of the organization for one year. It can be a valuable marketing tool used for exemplifying the effectiveness of an organization’s control environment. One may perform the audit to verify their commitment to outstanding service and compliance to the 5 Trust Service Principals.

A SOC 3 audit report is a way to fortify the organization’s SOC 2 Report results, especially when they are exceptional, to keep its key stakeholders relying on the information technology systems, contented and confident. The seal of approval from a verified and trusted third-party auditor also helps in gaining new customers.

The benefit of this Report for Customers

The report can benefit the customers in the following ways.

• Guarantee customers the security and confidentiality of their information and data they may provide to the service organization.
• Get the assurance of the audit of service organization by an unbiased, third-party CPA firm having extensive experience conducting these audits.
• Obtain an affirmation that the service organization’s controls are aligned, designed, and able to meet the specific pre-defined criteria.
• Ensure the service organization can display a SOC 3 logo from AICPA on the website to market customer’s services.

SOC 2 Type II attestation is essential to receive a SOC 3 report.

A SOC 3 audit conducted by a licensed CPA firm can be a significant differentiation in the current competitive market for mortgage vendors. With today’s reliance on information systems, SOC 3 audits provide comfort to mortgage companies entrusting you with their data. It ensures the information system provides secure, appropriate, and reliable information, together with preserving the privacy and confidentiality of their data.

If you would like to get started with your SOC audit or learn more about the process, contact us.