Robert Ramsay, Director
Ike Hedges, SOC Team
Ian McManis, Marketing Manager
Ian McManis (00:09): Hi, and welcome to Barnes Dennig Ask the Experts. I’m Ian McManis, marketing manager with Barnes
Dennig, and today we’re talking with SOC practice leader and director Robert Ramsay, and SOC team member Ike Hedges about SOC 3 reporting. We’ve got a lot to cover, so let’s go ahead and get started.
Robert Ramsay (00:26): Thank you so much, thanks for doing this, and Ike, thanks for joining me today.
Ike Hedges (00:30): Yeah, it’s my pleasure. If you don’t mind, we’ll just jump right into the questions here.
Robert Ramsay (00:34): Go for it.
Ike Hedges (00:35): So my first question is, why is there a SOC 3 report?
Robert Ramsay (00:39): Yeah, originally accountants wanted the SOC 1 to cover financial reporting, and then we realized there was demand for a SOC 2 to cover data security and privacy and confidentiality, and those are restricted to customers of business-to-business providers, and there was a demand for an unrestricted version, something that could be put out on the internet available for future customers, for anybody to see that blue stamp of approval that there’s been a SOC report from a CPA. So, after having a one and a two, they made it a three and now we have a SOC 3.
Ike Hedges (01:15): That definitely makes sense. So, I know in other SOC reports they have a light version and a heavy
version. So, why does the SOC 3 not have a light version?
Robert Ramsay (01:26): Yeah, good point. For the SOC 1 and the SOC 2, there’s a type one and a type two, and that type one was the lighter version, and the type two was a full audit over a period of time. A SOC 3 is a derivative of a SOC 2 and it’s already kind of a light version, so it’s no different testing than a SOC 2. It’s a SOC 2 made available for the general public, and it restricts, it’s a lot shorter. So, a SOC 2 is often 30-100 pages, a SOC 3 will be 3-5 pages. It has much less information. It’s light already, I guess.
Ike Hedges (02:05): That definitely makes sense.
Robert Ramsay (02:06): Yeah.
Ike Hedges (02:07): Awesome, so why does everything have to be named with a number?
Robert Ramsay (02:12): That’s just because we’re accountants. The AACPA governs the production of these reports, sets all the standards and rules for what we do to put them out. And I guess, they haven’t put a lot of thought into the marketing side of it so we just keep numbering things. That’s what you get when accountants are in charge, I think.
Ike Hedges (02:33): That makes sense. So, is it a lot of work to add a SOC 3 to a SOC 2 project?
Robert Ramsay (02:40): It’s actually not a lot of work and I don’t see a lot of SOC 3 adoption lately, so maybe it’ll happen more over time. Maybe especially as people realize that it’s not a lot of extra work, or a lot of extra cost. It is a derivative of SOC 2, so an auditor doing all the work for a SOC 2 has at their disposal to create a SOC 3, and in fact it’s part of a SOC 3 report and you’re just culling a good bit of detail. So, it’s not a lot of extra work for the value it creates, especially for something that can be put on the internet. Because now, if you go searching on the internet, you’re not going to see a lot of SOC 1 or SOC 2 reports, they’re restricted to customers or folks that know what they’re reading, but a SOC 3 you could put out on the internet and make available to everyone, and get credit for having done that.
Robert Ramsay (03:30): So, it’s not a lot of extra work and I think it’ll grow in popularity.
Ike Hedges (03:36): That’s awesome. So, that’s all the questions I have for you today. Thank you so much, Robert.
Robert Ramsay (03:41): Yeah, thanks, Ike. I appreciate it. Good to talk to you.
Ian McManis (03:43): Thanks. That was some great content, and thank you again for being with us and for sharing your insights today, Ike and Robert. If you’d like more information or would like to set up a conversation with our team, please visit the Barnes Dennig website and until then, we’ll see you next time on Ask the Expert.