Skip to Content
chevron-left chevron-right chevron-up chevron-right chevron-left arrow-back star phone quote checkbox-checked search wrench info shield play connection mobile coin-dollar spoon-knife ticket pushpin location gift fire feed bubbles home heart calendar price-tag credit-card clock envelop facebook instagram twitter youtube pinterest yelp google reddit linkedin envelope bbb pinterest homeadvisor angies

This blog post outlines key terms you should be familiar with as you are undergoing a SOC 2 examination. The terms below are listed as defined by the AICPA.

Applicable Trust Services Criteria:

The criteria codified in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, and TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, of AICPA Trust Services Criteria, used to evaluate controls relevant to the trust services category or categories included within the scope of a particular examination.

Architecture:

The design of the structure of a system, including logical components, and the logical interrelationships of a computer, its operating system, a network, or other elements.

Authentication:

The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device) or to verify the source and integrity of data.

Authorization:

The process of granting access privileges to a user, program, or process by a person who has the authority to grant such access.

Board or Board of Directors:

Individuals with responsibility for overseeing the strategic direction of the service organization and the obligations related to the accountability of the service organization. Depending on the nature of the service organization, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit service organization, a board of governors or commissioners for a government service organization, general partners for a partnership, or an owner for a small business. boundaries of the system (or system boundaries). The boundaries of a system are the specific aspects of a service organization’s infrastructure, software, people, procedures, and data necessary to provide its services. When systems for multiple services share aspects, infrastructure, software, people, procedures, and data, the systems will overlap, but the boundaries of each system will differ. In a SOC 2® engagement that addresses the confidentiality and privacy criteria, the system boundaries cover, at a minimum, all the system components as they relate to the life cycle of the confidential and personal information within well-defined processes and informal ad hoc procedures.

Business Partner:

An individual or business (and its employees), other than a vendor, who has some degree of involvement with the service organization’s business dealings or agrees to cooperate, to any degree, with the service organization (for example, a computer manufacturer who works with another company who supplies it with parts).

Carve-Out Method:

Method of addressing the services provided by a sub-service organization in which the components of the sub-service organization’s system used to provide the services to the service organization are excluded from the description of the service organization’s system and from the scope of the examination. However, the description identifies (1) the nature of the
services performed by the sub-service organization; (2) the types of controls expected to be performed at the sub-service organization that is necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved; and (3) the controls at the service organization used to monitor the effectiveness of the sub-service organization’s controls.

Collection:

The process of obtaining personal information from the individual directly (for example, through the individual’s submission of an internet form or a registration form) or from another party such as a business partner.

Complementary Sub-Service Organization Controls:

Controls that service organization management assumed, in the design of the service organization’s system, would be implemented by the sub-service organization that is necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved.

Complementary User Entity Controls:

Controls that service organization management assumed, in the design of the service organization’s system, would be implemented by user entities and are necessary, in combination with controls at the service organization, to provide reasonable assurance
that the service organization’s service commitments and system requirements would be achieved.

Component (of Internal Control):

One of five elements of internal control, including the control environment, risk assessment, control activities, information and communication, and monitoring activities.

Compromise:

This refers to a loss of confidentiality, integrity, or availability of information, including any resulting impairment of (1) processing integrity or availability of systems or (2) the integrity or availability of system inputs or outputs.

Consent:

This privacy requirement is one of the fair information practice objectives. Individuals must be able to prevent the collection of their personal data unless legally required. If an individual has a choice about us or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative (for example, opting in) or implied (for example, not opting out). There are two types of consent:

  • explicit consent. A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.
  • implied consent. When consent may reasonably be inferred from the action or inaction of the individual.
Contractor

An individual, other than an employee, engaged to provide services to an entity in accordance with the terms of a contract.

Control Activity:

An action established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.

Controls at a Service Organization:

The policies and procedures at a service organization that are part of the service organization’s system of internal control. Controls exist within each of the five COSO internal control components: control environment, risk assessment, control activities, information and communication, and monitoring. The objective of a service organization’s system of internal control is to provide reasonable assurance that its service commitments and system requirements are achieved.

Controls at a Sub-Service Organization:

The policies and procedures at a sub-service organization that are relevant to the service organization’s achievement of its service commitments and system requirements.

COSO

The Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. (See www.coso.org.)

Criteria.

The benchmarks used to measure or evaluate the subject matter.

Cybersecurity Objectives

The objectives that an entity establishes to address the cybersecurity risks that could otherwise threaten the achievement of the entity’s overall business objectives.

Cybersecurity Risk Management Examination

An examination engagement to report on whether (a) management’s description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and (b) the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. A cybersecurity risk management examination is performed in accordance with the attestation standards and the AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls.

Cybersecurity Risk Management Examination Report

The end product of the cybersecurity risk management examination, which includes management’s description of the entity’s cybersecurity risk management program, management’s assertion, and the practitioner’s report.

Data Subjects

The individuals about whom personal information is collected.

Deficiency

A term used to identify misstatements resulting from controls that were not suitably designed or did not operate effectively

Description of Misstatement.

The term used to describe differences between (or omissions in) the description and the description criteria.

Design

As used in the COSO definition of internal control, the internal control system design is intended to provide reasonable assurance of the achievement of an entity’s objectives.

Deviation

A term used to identify misstatements resulting from the failure of controls to operate in a specific instance. A deviation may, individually or in combination with other deviations, result in a deficiency.

Disclosure (of Information)

The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. Disclosure is often used interchangeably with the terms sharing and onward transfer.

Disposal

A phase of the data life cycle that pertains to how an entity removes or destroys data or information.

Entity

A legal entity or management operating model of any size established for a particular purpose. A legal entity may, for example, be a business enterprise a not-for-profit organization, a government body, or an academic institution. The management operating model may follow product or service lines, divisions, or operating units, with geographic markets providing for further subdivisions or aggregations of performance.

Entity-Wide

Activities that apply across the entity—most commonly in relation to entity-wide controls. environmental protection and safeguards. Controls and other activities implemented by the entity to detect, prevent, and manage the risk of casualty damage to the physical elements of the information system (for example, protection from fire, flood, wind, earthquake, power surge, or power outage).

External Users

Users, other than entity personnel, who are authorized by entity management, customers, or other authorized persons to interact with the entity’s information system.

Fraud

An intentional act involving the use of deception that results in a misstatement in the subject matter or the assertion.

Inclusive Method

Method of addressing the services provided by a sub-service organization in which the description of the service organization’s system includes a description of (a) the nature of the services provided by the sub-service organization and (b) the components of the sub-service organization’s system used to provide services to the service organization, including
the sub-service organization’s controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved. (When using the inclusive method, controls at the sub-service organization are subject to the service auditor’s examination procedures. Because the sub-service organization’s system components are included in the description, those components are included in the scope of the examination.)

Information and Systems.

Refers to information in electronic form (electronic information) during its use, processing, transmission, and storage and systems that use, process, transmit or transfer, and store information.

Information Assets

Data and the associated software and infrastructure used to process, transmit, and store information.

Information Life Cycle

The collection, use, retention, disclosure, disposal, or anonymization of confidential or personal information within well-defined processes and informal ad hoc procedures.

Inherent Limitations

Those limitations of all internal control systems. The limitations relate to the preconditions of internal control, external events beyond the entity’s control, limits of human judgment, the reality that breakdowns can occur, and the possibility of management override and collusion.

Intended Users

Individuals or entities that the service organization intends will be report users.

Internal Control

A process, effected by a service organization’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Management’s Assertion

A written assertion by the management of a service organization or management of a sub-service organization, if applicable, about whether (a) the description of the system is in accordance with the description criteria, (b) the controls are suitably designed, and (c) ina type 2 report, the controls operated effectively to achieve the service organization’s service commitments and system requirements based on the applicable trust services criteria.

Management Override

Management’s overruling of prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity’s financial condition or compliance status.

Operating Effectiveness (or Controls That Are Operating Effectively).

Controls that operated effectively provide reasonable assurance of achieving the service organization’s service commitments and system requirements based on the applicable trust services criteria. personal information. Information that is about, or can be related to, an identifiable individual.

Policies

Management or board member statements of what should be done to effect control. Such statements may be documented, explicitly stated in communications, or implied through actions and decisions. Policies serve as the basis for procedures.

Privacy Notice

A written communication by entities that collect personal information to the individuals about whom personal information is collected that explains the entity’s (a) policies regarding the nature of the information that they will collect and how that information will be used, retained,
disclosed, and disposed of or anonymized and (b) commitment to adhere to those policies. A privacy notice also includes information about such matters as the purpose of collecting the information, the choices that individuals have related to their personal information, the security of such information, and how individuals can contact the entity with inquiries, complaints, and disputes related to their personal information. When a user entity collects personal information from individuals, it typically provides a privacy notice to those individuals.

Principal Service Commitments

Disclosures included in the description of the service organization’s system related to the service commitments made by management to its customers about the system used to provide the service. The principal service commitments are those that are relevant to meeting the common needs of the broad range of SOC 2® report users.

Report Users (Specified Users or Specified Parties) of a SOC 2 ® Report.

In this document, the term refers to users of a SOC 2® report. The service auditor’s report included in a SOC 2® report ordinarily includes an alert restricting the use of the report to specified parties who possess sufficient knowledge and understanding of the service organization and the system to understand the report. The expected knowledge is likely to include an
understanding of the following matters:

  • The nature of the service provided by the service organization
  • How the service organization’s system interacts with user entities, business partners, sub-service organizations, and other parties
  • Internal control and its limitations
  • Complementary user entity controls and complementary sub-service organization controls and how those controls interact with the controls at the service organization to achieve the service organization’s service commitments and system requirements
  • User entity responsibilities and how they may affect the user entity’s
  • ability to effectively use the service organization’s services
  • The applicable trust services criteria
  • The risks that may threaten the achievement of the service organization’s
  • service commitments and system requirements and how controls address those risks

Users likely to possess such knowledge include user entities and their personnel business partners and their personnel, practitioners providing services to such user entities and business partners, prospective user entities and business partners, and regulators who understand how the service organization’s system may be used to provide the services.

Responsibilities of External Users.

Those activities and tasks that service organization management expects user entities, their employees, and any other third-party users of the system to perform for the services provided by the service, organization to function as intended to meet the needs of user entities.

Retention

A phase of the data life cycle that pertains to how long an entity stores information for future use or reference. risk. The possibility that an event will occur and adversely affect the achievement
of objectives.

Responsibilities of External Users

The risk that the description of the service organization’s system that was implemented and operated is not presented in accordance with the description criteria or that controls were not suitably designed or operating effectively to provide reasonable assurance that
the service organization’s service commitments and system requirements would be achieved.

Security Event

An occurrence, arising from actual or attempted unauthorized access or use by internal or external parties, that impairs or could impair the availability, integrity, or confidentiality of information or systems, result in unauthorized disclosure or theft of information or other assets, or cause damage to systems.

Security Incident

A security event that requires actions on the part of an entity in order to protect information assets and resources.

Senior Management

The chief executive officer or equivalent organizational leader and senior management team.

Service Auditor

As used in this guide, a CPA who performs a SOC 2® examination of controls within a service organization’s system relevant to security, availability, processing integrity, confidentiality, or privacy.

Service Commitments

Declarations made by service organization management to user entities and others (such as user entities’ customers) about the system used to provide the service. Service commitments can be communicated in written individualized agreements, standardized contracts,
service level agreements, or published statements (for example, in a security practices statement).

Service Organization

An organization, or segment of an organization, that provides services to user entities.

Service Provider

A vendor (such as a service organization) engaged to provide services to the entity.

Service Provider

Include outsourced services providers as well as vendors that provide services not associated with business functions such as janitorial, legal, and audit services

SOC 2 ® Examination

An examination engagement to report on whether (a) the description of the service organization’s system is in accordance with the description criteria, (b) the controls were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria, and (c) in a type 2 report, the controls operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the
applicable trust services criteria. The SOC 2® examination is performed in accordance with the attestation standards and the AICPA Guide SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

SOC 3 Engagement

An examination engagement to report on management’s assertion about whether controls within the system were effective to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the trust services
criteria relevant to one or more of the trust services categories (applicable trust services criteria). subsequent events. Events or transactions that occur after the specified period covered by the engagement, but prior to the date of the service auditor’s report, which could have a significant effect on the evaluation of the presentation of the description of the service organization’s system or the evaluation of the suitability of design and operating effectiveness of controls.

Sub-service Organization

A vendor used by a service organization that performs controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved.

Suitability of Design (or Suitably Designed Controls)

Controls are suitably designed if they have the potential to provide reasonable assurance that the service organization’s service commitments and system requirements would be achieved. Suitably designed controls are operated as designed by persons who have the necessary authority and competence to perform the control.

System

Refers to the infrastructure, software, procedures, and data that are designed, implemented, and operated by people to achieve one or more of the organization’s specific business objectives (for example, delivery of services or production of goods) in accordance with management-specified
requirements.

System Components

This refers to the individual elements of a system, which may be classified into the following five categories: infrastructure, software, people, procedures, and data.

System Event

An occurrence that could lead to the loss of, or disruption to, operations, services, or functions and result in a service organization’s failure to achieve its service commitments or system requirements. Such an occurrence may arise from actual or attempted unauthorized access or use
by internal or external parties and (a) impair (or potentially impair) the availability, integrity, or confidentiality of information or systems; (b) result in unauthorized disclosure or theft of information or other assets or the destruction or corruption of data; or (c) cause damage to systems. Such occurrences also may arise from the failure of the system to process data as designed or from the loss, corruption, or destruction of data used by the system.

System Incident

A system event that requires action on the part of service organization management to prevent or reduce the impact of the event on the service organization’s achievement of its service commitments and system requirements.

System Requirements

Specifications about how the system should function to (a) meet the service organization’s service commitments to user entities and others (such as user entities’ customers); (b) meet the service organization’s commitments to vendors and business partners; (c) comply with relevant laws and regulations and guidelines of industry groups, such as business or trade associations; and (d) achieve other objectives of the service organization that are relevant to the trust services categories addressed by the description. Requirements are often specified in the service organization’s system policies and procedures, system design documentation, contracts with customers, and government regulations.

Test of Controls

A procedure designed to obtain evidence about whether controls operated effectively to achieve the service organization’s service commitments and system requirements based on the applicable trust services criteria.

Third Party

An individual or organization is other than the service organization and its employees. Third parties may be customers, vendors, business partners, or others.

Trust Services

A set of professional attestation and advisory services based on a core set of criteria (trust services criteria) related to security, availability, processing integrity, confidentiality, or privacy.

Unauthorized Access

Access to information or system components that (a) has not been approved by a person designated to do so by management and (b) compromises segregation of duties, confidentiality commitments, or otherwise increases risks to the information or system components beyond the levels approved by management (that is, access is inappropriate).

User Entity

An entity that uses the services provided by a service organization.
user or intended user. An individual or entity that the service auditor expects will use the service auditor’s report.

Vendor

An individual or business (and its employees) engaged to provide services to the service organization. Depending on the services a vendor provides (for example, if it operates certain controls on behalf of the service organization that is necessary, in combination with the service organization’s controls, to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved), a vendor might also be a sub-service organization.