System and Organization Controls (SOC) 3

SOC 3 overview

System and Organization Controls (SOC) for Service Organizations are internal control reports created by the American Institute of Certified Public Accountants (AICPA). They're intended to examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service.

SOC 3 SOC for Service Organizations: Trust Services Criteria for General Use Report is a short, publicly facing version of the SOC 2 Type 2 attestation report for users who need assurances about service organization's controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy but don't need a full SOC 2 report. Because SOC 3 reports are general use reports, they can be freely distributed.

A SOC 3 report contains a written assertion by service organization management regarding control effectiveness to achieve commitments based on the applicable trust services criteria, as well as service auditor's opinion on whether management's assertion is stated fairly.

Azure and SOC 3

Microsoft Azure, Dynamics 365, and other Microsoft cloud services undergo rigorous independent third-party SOC 2 Type 2 audits conducted by a reputable Certified Public Accountant (CPA) firm. For more information, see the publicly available Azure SOC 3 attestation report.

Applicability

• Azure
• Azure Government

Services in scope

For a list of Microsoft cloud services in audit scope, see the Azure SOC 2 Type 2 attestation report or Cloud services in audit scope:

• Azure
• Dynamics 365
• Microsoft 365
• Power Platform

Office 365 and SOC 3

For more information about Office 365 compliance, see Office 365 SOC 3 documentation.

Audit reports

The Azure SOC 3 attestation report is publicly available. It covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services.

You can access Azure SOC 1 and SOC 2 audit reports and bridge letters from the Service Trust Portal (STP) SOC reports section. For instructions on how to access audit reports, see Audit documentation.

Frequently asked questions

How often are Azure SOC 3 reports issued?
SOC reports for Azure, Dynamics 365, and other online services are based on a rolling 12-month run window (audit period) with new reports issued semi-annually (period ends are 31-Mar and 30-Sep). It takes approximately six weeks to produce and publish the attestation report following the end of the audit period. Bridge letters are issued during the first week of each quarter to cover the prior three-month period. For example, the January letter covers 1-Oct through 31-Dec, the April letter covers 1-Jan through 31-Mar, the July letter covers 1-Apr through 30-Jun, and the October letter covers 1-Jul through 30-Sep.

Where can I get the Azure SOC audit documentation including bridge letters?
For links to audit documentation, see Audit reports. The Azure SOC 3 attestation report is publicly available.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• Service Trust Portal audit reports
• AICPA SOC for Service Organizations
• SSAE No. 18, Attestation Standards: Clarification and Recodification (AICPA Professional Standards)
• SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide, available for purchase)
• TSP section 100 (AICPA 2017 Trust Services Criteria, includes Mar-2020 updates)