Glossary

SOC 2

  • System Description (Section III)

    What is a system description?  Generally speaking, a system description is a section of a technical document or report that provides an overview of the system, its structure and components, and explains how it works. It may also provide information about related systems and technologies used in conjunction with the main system. System descriptions are …

  • SOC 2 Bridge Letters

    Are you curious about SOC 2 bridge letters? If so, you’re in the right place. We’ll dive deep and provide you with an overview of what a SOC 2 bridge letter is, who issues them, and how long they last. A bridge letter is an important document in the world of system and organization controls …

  • SOC Trust Services Criteria

    What are SOC Trust Services Criteria? The SOC (Service Organization Control) Trust Services Criteria is a set of standards established by the AICPA (American Institute of Certified Public Accountants) for service organizations. These criteria are designed to provide assurance that a service organization has implemented proper internal controls over its operations.  The Trust Services Criteria …

  • Carved-Out vs Inclusive Method

    What is the carved-out vs inclusive method? Simply put, these are two different methods for SOC reporting of your subservice organizations specifically. Subservice organizations include managed service organizations, data center providers, cloud providers, etc. Think about modern-day businesses. It is no longer common practice to develop your own system end-to-end. You would rather make use …

  • Attestation Report

    SOC 2 attestation, explained Breaking it down into definitions, an ‘attestation’ is defined as “a declaration that something exists”, and “evidence or proof of something”. A synonym for attestation is the word ‘vouch’. That is the best way to simplify this. What is a SOC 2 attestation report in the compliance and audit world? Well, …

  • SOC 3

    By now, you should be very familiar with a SOC 2 report. In terms of classification of the report itself, a SOC 2 report is a private report. The nature of the report means that it contains sensitive information about the organization and their control environment, including systems used, specific control information, management assertion information, …

  • Testing Procedure

    What SOC 2 compliance testing procedures does an auditor follow? This question can only be answered at a high-level. The reason for this is that the specific methodology of each auditing company varies. In all instances, the testing procedures that are defined, address the same requirements (i.e. a specific control is tested in a similar …

  • Subservice Organization

    Overview of subservice organizations As part of the SOC 1 or SOC 2 process, an organization needs to go through an exercise to identify vendors that are performing a service to the organization. Once those vendors are identified, the organization needs to understand which of those services performed have an impact on the control environment …

  • SOC 2 Compliance Requirements

    SOC 2 standard SOC stands for Service Organization Controls (SOC). The controls that you design and implement inside your control environment will vary based upon the people, technology, and products your company develops. SOC 2 is based on five principles, which are: SOC 2 requirements When reviewing the nine SOC 2 trust service criteria (TSC) …

  • AICPA

    What is the AICPA? The AICPA (American Institute of Certified Public Accountants) is the US’s organization of Professional CPAs (Certified Public Accountants). The AICPA is the founder and originator of the SOC reporting standard and audit. Furthermore, the AICPA is a very influential body of professional accountants, and they combine the skills and expertise of …

  • SOC Reports

    What is a SOC report? SOC stands for Service Organizations Controls. A SOC report provides a detailed assessment of the controls, processes, and implementation thereof within an organization. A SOC report is one the easiest and most effective ways to verify and ensure that an organization is following industry best standards and that the controls …

  • Audit Period

    Think of the audit period as the time duration over which the policies/procedures/IT control environment/etc. are evaluated. An audit period is relevant in the world of compliance and auditing. Before a potential business partner or customer enters into contract agreements, paying money, and handing over important information, they want to be assured that the company …

  • SOC 2 Evidence Collection

    When it comes down to collecting evidence for the SOC 2 audit itself, there are a few key points that one needs to remember. Obtaining and submitting the incorrect audit evidence can cause audit headaches as it will most times mean having to recapture, extract, and submit the evidence again – showing the necessary key …

  • Auditor's Opinion

    SOC 2 is based on the American Institute of Certified Public Accountants (AICPA) standards to provide an audit opinion on the security, availability, processing integrity, confidentiality, and/ or privacy of a service organization’s controls.  What is a SOC 2 audit opinion? An audit opinion is the audit result or the audit outcome of a SOC …

  • SOC 2 Readiness Assessment

    What is a SOC 2 readiness assessment? A SOC 2 readiness assessment is exactly what the word implies: an assessment that is performed to see if a company or more specifically, the control environment of the company’s product, is ready for a SOC 2 audit. The objective of the report is to summarize the current …

  • Information Produced by the Entity (IPE)

    IPE audit evidence IPE, or Information Produced/Provided by the Entity, is a term used in compliance and auditing that regards the actual information used by the auditor in order to assess, test, and draw conclusions about controls, and ultimately, the audit opinion. There is no clear-cut, oxford-dictionary definition of what constitutes IPE, or IPE audit …

  • Complementary User Entity Control (CUEC)

    Complementary user entity controls (CUEC) are controls that reside at the user entity level of a service organization. User entities are organizations that utilize the services of a service organization. Essentially what it means is that there is a shared responsibility between two parties to ensure the control criteria is being achieved. Think of CUECs …

  • SOC 2 Auditor

    What does a SOC 2 auditor do? An auditor who has been accredited by the AICPA can attest and report on if controls were suitably designed, and effectively implemented during the audit period for an organization. Not all accountants are CPAs, so when hiring an auditor it is important to be sure they are commissioned …

  • SOC 2 Type II Report

    A SOC 2 Type II report assesses the design and operating effectiveness of an organization’s controls over a period of time. A SOC 2 Type II report is a report on an organization’s internal controls, capturing how a company safeguards customer data and how well those controls are operating. SOC 2 Type II Trust Principles …