Under SOC3 two types of audit reports can be issued:
- SysTrust. Geared primarily towards a service organisation using a wide variety of IT systems.
- WebTrust. Geared primarily towards e-commerce companies and the ability for their systems to adhere to online privacy, consumer protection, and certificate authorities, along with one or more combinations of the Trust Services Principles and Criteria (i.e. security, availability, processing integrity, confidentiality, and privacy).
Unlike a SOC 2 report, which is a restricted-use report, containing a detailed description of the service auditor’s control tests and results, as well as an opinion on the description of the service organisation’s system, a SOC 3 report is a general-use report on whether the system achieved the Trust Services Principles and related Criteria - excluding a description of tests performed and results obtained and an opinion on the description of the system.
If a service organisation receives an unqualified report, the organisation may also use the SOC 3 seal on its website.