Rest In Peace SOC 3 Seal

October 29, 2014


On October 2, 2014, the AICPA and CPA Canada announced their joint decision to discontinue the seal programs for Systrust and SOC 3 Systrust for Service Organizations.


In their announcement, the AICPA and CPA Canada stated that both of these organizations recognize that there has been growth in the attestation/assurance services market, especially in the area of systems reliability and service organization controls - and it's with this in mind that they will continue to ensure the effectiveness of these services despite the seal program coming to an end.

This doesn’t mean that the SOC 3 examination is gone, just the seal. According to Bryan Walker, Director of Practitioner Support, CICA:

The SOC 3 for SysTrust for Service Organizations will remain as part of the initiatives for Service Organization Controls. The SOC 3 seal program will be terminated and the SOC 3 seal will no longer be available.

Therefore, service organizations still complete a SOC 3 examination, which provides a shorter report than a SOC 2 examination including only the auditor's opinion, management’s assertion and the system description.

So what does that mean for service organizations that underwent a SOC 3 examination?

After December 31, 2014, only the seal that was jointly managed by the AICPA and CPA Canada will not be provided to service organizations.. Meanwhile, a seal that has already been issued under an existing license will remain active through its expiration date. Seals will still be issued through to December 31, 2014, to any SysTrust and SOC 3 engagements currently in progress - including renewals of existing SOC 3 SysTrust for Service Organization and SysTrust seals. After that date, however, anyone who continues to use SysTrust related marks must disclose to clients that the seal program is not active, and is not supported by or associated with AICPA and CPA Canada.

Also, do not fret; service organizations can still complete the SOC 2 examination, which will still provide the user entity the same level of comfort – just not freely distributed.

You should also know that CPA Canada stated in the announcement that they are reviewing the WebTrust for Certification Authorities seal program. While it currently continues, the review is to determine whether the benefits of the program justify the resources necessary for its continuation.

Clearly, there is a lot of assessment and change underway- however, every effort has been made to see that these changes will not cause a disruption within the service organization control reporting world.

Previous Article
SOC Reports: The Difference between Type 1 and Type 2?
SOC Reports: The Difference between Type 1 and Type 2?

There are two types of SOC 1 reports. The service organization is responsible for specifying whether or not...

Next Article
SOC 1: Can a SOC Report Fulfill Multiple Customer Requests?
SOC 1: Can a SOC Report Fulfill Multiple Customer Requests?

Can a SOC report fulfill multiple customer requests? YES! Without a SOC 1 report, an organization may have ...