SOC 3 Examinations
The SOC 3 Examination does everything that is done for a SOC 2 Type 2 Examination, however, the report is much shorter as the last 50 pages of the SOC 2 were removed to call it a SOC 3. These are intended to be public facing reports that you post on your website.
Who should get a SOC 3 Examination?
SOC 3 Examination Scope
You set your scope based upon the selected Trust Services Criteria. The base Criteria is “Security” which includes a set of 9 “Common Criteria”. Optionally, you can add four additional criteria on the topics of Availability, Confidentiality, Processing Integrity and Privacy. This is typically driven by whatever your customer is blurting out as they bang on the table. If you want to talk about your scope, we’ll be happy to humor a call.
HR and Entity Controls
Here we talk about background checks, security awareness training, confidentiality agreements, performance reviews and risk assessment.
Logical and Physical Access Controls
Here we talk about multifactor authentication. user access management, password controls, and all the encryption things.
Change and IT Operations Controls
Here we talk about how change is inevitable, except from a vending machine. Even if vending, you still should test your code. IT operations includes all the “other” things.
Vendor Risk Management Controls
So you outsourced something to someone? Great. Let’s talk about how you know that they are able to participate and excel at meeting your customers’ requirements.
Our Audit Process
We’ve been at this long enough that we can audit our way out of a paper bag. Even as paper bags have increased in overall quality, we have continually surprised ourselves by getting out before the local house cat found us.
Scoping and Planning
Before we get too carried away, we get to know you, what you do and what processes impact financial reporting. This lets us tailor our requests to match what you actually do instead of going on a fishing expedition with a shrimp net.
Control Testing and Evidence Collection
We leverage our audit portal to provide a list of requests, manage their status and assign them to all the folks you’ve voluntold to help with the audit effort. We provide near real time feedback as you’re submitting evidence to know if you went over, under or hit “the bar”.
Reporting and Issuance
This part you usually don’t have to help with – we slip into the back room and count some beans, do some quality assurance and then present you a draft report on a platter. If it looks good, great, we finalize, if not, well… uhh… we do it again.
Pricing for SOC 3 Examinations
$7,000
If you really have to have one of these, we’ll be glad to add it on to the scope of a SOC 2 that we’re doing for you. Don’t worry, your customers will thank you and then ask for your SOC 2 instead if you give it to them.
Questions We Get Asked (or, FAQs)
Here’s a few questions we typically get – if you don’t see what you’re looking for, let us know and we’ll be glad to add it!