Glossary

  • Compliance Software

    What is compliance management software Compliance has become a hot topic in today’s world. When organizations hear the word “compliance” they tend to think of ways to shortcut this process. Compliance software is the answer to that shortcut and can be essential for organizations looking for more effective and efficient ways to comply with the …

  • AICPA

    What is the AICPA? The AICPA (American Institute of Certified Public Accountants) is the US’s organization of Professional CPAs (Certified Public Accountants). The AICPA is the founder and originator of the SOC reporting standard and audit. Furthermore, the AICPA is a very influential body of professional accountants, and they combine the skills and expertise of …

  • Security Compliance

    Overview of security compliance The concept of security and compliance used in the same sentence has become a common theme in recent years. The word ‘security’ specifically in the information technology arena brings up several topics, especially the relevant risks that are associated with these topics, for example: Access securityChange management securityData securityApplication securityNetwork securityCyber …

  • SOC Reports

    What is a SOC report? SOC stands for Service Organizations Controls. A SOC report provides a detailed assessment of the controls, processes, and implementation thereof within an organization. A SOC report is one the easiest and most effective ways to verify and ensure that an organization is following industry best standards and that the controls …

  • Audit Period

    Think of the audit period as the time duration over which the policies/procedures/IT control environment/etc. are evaluated. An audit period is relevant in the world of compliance and auditing. Before a potential business partner or customer enters into contract agreements, paying money, and handing over important information, they want to be assured that the company …

  • SOC 2 Evidence Collection

    When it comes down to collecting evidence for the SOC 2 audit itself, there are a few key points that one needs to remember. Obtaining and submitting the incorrect audit evidence can cause audit headaches as it will most times mean having to recapture, extract, and submit the evidence again – showing the necessary key …

  • Auditor's Opinion

    SOC 2 is based on the American Institute of Certified Public Accountants (AICPA) standards to provide an audit opinion on the security, availability, processing integrity, confidentiality, and/ or privacy of a service organization’s controls.  What is a SOC 2 audit opinion? An audit opinion is the audit result or the audit outcome of a SOC …

  • Vendor Management Policy

    Sometimes, a third-party contractor only needs access to certain company databases or permissions. Or, a third party’s services may only be required on certain days of the week. In order to sort out these technicalities, it is necessary for outsourcers to create a vendor management policy statement. What is a vendor management policy? A vendor …

  • Third-Party Risk

    Let’s start off with an example. A company’s offices could follow airtight security practices and have a comprehensive keycard system that keeps unwanted and potentially malicious visitors out. But none of that will matter if one of the hired painters leaves their keycard on the bus, and that card finds itself in the possession of …

  • Self-Assessment Questionnaire (SAQ)

    What is a self-assessment questionnaire? A self-assessment questionnaire (SAQ) is an important step towards auditing success when aiming for compliance of a varying degree based on results from an SAQ assessment. The goal of the questionnaires is to prepare your organization for what the audit will entail and to make sure you are set up …

  • SOC 2 Readiness Assessment

    What is a SOC 2 readiness assessment? A SOC 2 readiness assessment is exactly what the word implies: an assessment that is performed to see if a company or more specifically, the control environment of the company’s product, is ready for a SOC 2 audit. The objective of the report is to summarize the current …

  • Information Produced by the Entity (IPE)

    IPE, or Information Produced/Provided by the Entity, is a term used in compliance and auditing that regards the actual information used by the auditor in order to assess, test, and draw conclusions about controls, and ultimately, the audit opinion. There is no clear-cut, oxford-dictionary definition of what constitutes IPE, or IPE audit evidence, and so …

  • Complementary User Entity Control (CUEC)

    Complementary user entity controls (CUEC) are controls that reside at the user entity level of a service organization. User entities are organizations that utilize the services of a service organization. Essentially what it means is that there is a shared responsibility between two parties to ensure the control criteria is being achieved. Think of CUECs …

  • Compliance Program

    As a leader in a developing company, you are well aware that creating a compliance program is something you will have to deal with at some time as you grow. Because industry standards frequently have overlapping criteria, an organization may establish a single policy or a set of rules that meets various needs. It’s vital …

  • Audit Trail

    An audit trail, or sometimes referred to as an audit log, is a documented flow of transactions, security relevant records, or data changes that are date and time stamped. It keeps a sequential record of the history and details around the change. Depending on the area of expertise, audit trails/logs come in different shapes and …

  • Security Management Policy (IS Policy)

    It is a very well known fact that all organizations require written policies, procedures, and rules in order to achieve compliance. Think about a practical example of building a house. For any solid structure to be developed, you need a solid foundation. The policies are the foundation of an organization. Policies are the principles and …

  • Cloud Security Compliance

    “The Cloud” is terminology that is so commonly used nowadays. Cloud computing refers to the availability of resources required by computer systems, including and specifically related to data storage and computing power without the user/organization having direct management. When we talk about cloud compliance, we are referring to the procedures, policies, and practices that monitor …

  • Compliance Process Automation

    For many companies, meeting security and compliance requirements at the same time can be a daunting task. For one thing, many companies do not have their own compliance capabilities. Rather, the security team does the compliance work. They are responsible for time-consuming audit requests, documenting and making changes to internal controls, etc. The preparation is …

  • Vendor Review

    Nowadays, there is a plethora of vendor tools, services, and products that exist for almost every business requirement and focus area of an organization, and it is often easier, and more cost effective to use a vendor’s established product or service rather than spending the time and money developing your own. However, using one of …

  • SOC 2 Auditor

    What does a SOC 2 auditor do? An auditor who has been accredited by the AICPA can attest and report on if controls were suitably designed, and effectively implemented during the audit period for an organization. Not all accountants are CPAs, so when hiring an auditor it is important to be sure they are commissioned …

  • ISO 27001 Security Standard

    A standard that was developed in 2013 by the International Organization for Standardization and IEC (International Electrotechnical Commission). What is the purpose of the ISO 27001 framework? ISO/IEC 27001 is an international standard on how to manage information security. This standard formally specifies an Information Security Management System (ISMS) to be established, maintained, and continuously …

  • Compliance Frameworks

    A set of criteria that is developed by an organization that achieves some objective or outcome with the intended purpose of having some type of benefit to the organization. Compliance frameworks allow you to take parts of your organization’s procedures, policies, and other documentation and compile them all into one cohesive entity. There are always …

  • Data Security Controls

    Data security controls are any parameters used to prevent and safeguard data within your company. Such controls can be in the form of policies, rules, systems, or any other for the sake of guaranteeing compliance. Controls conducted outside of a system are called manual controls whereas controls configured within a system that are used to …

  • Data Classification Policy

    A policy that specifies the required tagging of data stored by a company. This data is usually specific in nature such as PCI data, Health Information, and Personally Identifiable Information.  If you have ever worked for a large enterprise, you know how daunting it can be to get up to speed on things. Things are …

  • SOC 2 Type II Report

    A SOC 2 Type II report assesses the design and operating effectiveness of an organization’s controls over a period of time. A SOC 2 Type II report is a report on an organization’s internal controls, capturing how a company safeguards customer data and how well those controls are operating. SOC 2 Type II Trust Principles …

  • IT Security Policy

    Information Security Policies or also known as IT Security Policies, allow an organization’s management team to implement administrative controls and ensure that standards are set for information security across the organization.  The minimum an IT data security policy should include Purpose Scope Information Security Objectives At a minimum the organization should be reviewing policies and procedures on …

  • ISO 27001 Compliance

    The ISO 27001 standard has continued to be a popular option despite the ever-expanding list of industry-specific solutions due to its applicability across both business sectors and continents. The ISO 27000 series The deployment and maintenance of an information security management system are the primary focus of the ISO 27001 standard, which is officially known …

  • Data Compliance

    What is data compliance? Data compliance is a practice and a process. It refers to the adherence of protocols and standards that are designed to safeguard personal data and information. Data compliance requirements and regulations define (1) how data is collected, used, processed, and stored, and (2) the processes to ensure the data is protected …

  • Security Questionnaires

    Security Questionnaires are very common among business to business transactions. These often occur before a business decision is made regarding a product or service to be implemented by an organization. Security Questionnaires will often contain questions regarding the security posture of the organization, and if the organization has undergone things such as vulnerability scans, outside …

Book a Demo