SOC 2

Glossary of Compliance

Compliance Glossary

Our list of curated compliance glossary offers everything you to know about compliance in one place.

a b c d e f g h i j k l m n o p q r s t u v w x y z

A

AICPA

The American Institute of Certified Public Accountants (AICPA) is a professional organization representing certified public accountants in the United States. It was founded in 1887 and has more than 428,000 members currently. The AICPA sets accounting and auditing standards for the profession, provides education and training, and advocates for its members. It also offers certifications…
Learn More AICPA

Attestation

An attestation is a formal declaration or statement made by an independent third party (such as an accountant, auditor, or lawyer) expressing an opinion or providing assurance about certain information’s accuracy, reliability, or completeness. Attestations are commonly used in financial reporting to provide additional credibility and trustworthiness to the information being presented.
Learn More Attestation

Attestation Report

An attestation report is a written statement by an independent third party (such as a CPA or an auditor) that expresses an opinion on the reliability and accuracy of an organization’s financial statements or other information. An attestation report is used to assure stakeholders (such as shareholders, creditors, and regulators) that the information being presented…
Learn More Attestation Report

Auditor’s Opinion

An auditor’s opinion is a written statement by an independent auditor expressing an opinion on the fairness and consistency of a company’s financial statements with generally accepted accounting principles (GAAP). The auditor’s opinion is typically included in an audit report, a formal document summarizing the auditor’s findings and conclusions from the audit engagement. An auditor’s…
Learn More Auditor’s Opinion

Availability

In the context of SOC 2 (Service and Organization Controls), availability refers to the principle that requires organizations to have systems and processes in place to ensure that their services are available to their customers as needed. The availability principle is one of five trust services principles that are covered in a SOC 2 attestation…
Learn More Availability

Cloud Service Providers

Cloud service providers offer various types of cloud computing services to their customers. Cloud computing is a model of computing that delivers shared computing resources (such as networks, servers, storage, applications, and services) over the internet rather than using local servers or personal devices.Cloud service providers offer a variety of services, including:– Infrastructure as a…
Learn More Cloud Service Providers

Cloud-hosted Business

A cloud-hosted business is a company that uses cloud computing services to host and operate its business applications, data, and other resources. Cloud computing is a model of computing that delivers shared computing resources (such as networks, servers, storage, applications, and services) over the internet rather than using local servers or personal devices. By using…
Learn More Cloud-hosted Business

Compliance Report

A compliance report is a document that summarizes the results of an evaluation of an organization’s compliance with relevant laws, regulations, standards, or policies. They are used to assess an organization’s adherence to these requirements and to identify any areas where the organization may be non-compliant. Compliance reports may be prepared by internal teams or…
Learn More Compliance Report

Confidentiality

In the context of SOC 2 (Service and Organization Controls), confidentiality refers to the principle that requires organizations to protect the confidentiality of their customer’s data and information. The confidentiality principle is one of five Trust Services Criteria covered in a SOC 2 attestation engagement. To meet the confidentiality principle, organizations must have controls to…
Learn More Confidentiality

Control Mapping

Control mapping is identifying, documenting, and evaluating the controls in place within an organization to address specific risks or objectives. It involves creating a map or diagram that illustrates the relationships between the various controls and how they work together to achieve the desired outcome. Control mapping is commonly used in risk management and compliance…
Learn More Control Mapping

Controlled Disclosure

Controlled disclosure is releasing information to a restricted group of people or in a controlled manner rather than making the information widely available. Controlled disclosure is often used to protect sensitive or confidential information from unauthorized access or disclosure.An example of controlled disclosure might be a company releasing financial information to its shareholders but only…
Learn More Controlled Disclosure

CPA

Certified Public Accountant (CPA) is a professional designation given to accountants in the United States who have passed a certification exam and met certain education and experience requirements. It is a globally recognized test for which aspirants must take the Uniform CPA Examination. A CPA is licensed by the state in which they practice to…
Learn More CPA

IaaS

Infrastructure as a Service (IaaS) is a cloud computing service that provides customers with access to computing infrastructure (such as servers, storage, and networking) on a pay-per-use basis. IaaS enables customers to rent or lease infrastructure resources on an as-needed basis rather than purchase and maintain their in-house infrastructure. With IaaS, customers can scale their…
Learn More IaaS

Internal Audit

An internal audit is a type of organizational audit that is conducted by a company’s own employees, rather than by an external third party. The purpose of an internal audit is to evaluate and improve the effectiveness of a company’s internal controls, risk management, and governance processes. Internal audits may cover a wide range of…
Learn More Internal Audit

Internal Corporate Governance

Internal corporate governance refers to the processes and structures a company puts in place to ensure that it is managed ethically, transparently, and accountable. It includes the policies, procedures, and systems that a company uses to make decisions, set and achieve strategic goals, and manage risks. An example of internal corporate governance might be a…
Learn More Internal Corporate Governance

Management Assertion

A SOC 2 Management Assertion is a statement by a company’s management related to its system undergoing an audit. This statement is concerned with the effectiveness of the company’s internal controls related to security, availability, processing integrity, confidentiality, and privacy. The management acknowledges that the information they have provided is accurate per the descriptions.  Additionally,…
Learn More Management Assertion

PII

PII refers to Personally Identifiable Information or any information used to identify a person. SOC 2 requires businesses that handle sensitive data to implement appropriate controls to ensure PII’s confidentiality, integrity, and availability. Examples of PII in a SOC 2 report include names, addresses, telephone numbers, email addresses, social security numbers, and financial information such…
Learn More PII

Privacy

Privacy is one of the five trust service criteria of SOC 2. It is information an entity collects, uses, retains, discloses, and disposes to meet its objectives.  The privacy principle aims to service organizations who handle sensitive personal information do so in a responsible and trustworthy manner. They should have appropriate controls in place to…
Learn More Privacy

Processing Integrity

Processing Integrity is one of the five trust service criteria of SOC 2. It refers to how complete, valid, accurate, timely, and authorized your system processing is. It seeks to address whether your system meets the goal without error, delay, omission, or unauthorized manipulation. Processing integrity is addressed at the functional or system level.  The…
Learn More Processing Integrity

QSA

A QSA, or Qualified Security Assessor is an AICPA (American Institute of Certified Public Accountants) trained professional. They assess your organization’s systems and controls as required by a SOC 2 standard.  QSAs are responsible for conducting independent assessments of your organization and preparing a report based on the findings and observations. They would review your…
Learn More QSA

Quality Control

SOC 2 quality control refers to the measures and policies a service organization should implement to ensure that their systems, processes, and controls meet the SOC 2 standards.  These measures can include internal audits, control testing, or a review of policies and procedures as often as needed. Quality control aims to ensure that you offer…
Learn More Quality Control

Quality Report

A SOC 2 quality report is a document that service organizations use to demonstrate that they have adequate controls, policies, and processes in place to secure customer data. These controls are related to the five trust principles: security, availability, processing integrity, confidentiality, and privacy. Security is the most important and compulsory criterion, while others can…
Learn More Quality Report

Risk Assessment

Risk assessment in SOC 2 is the process a service organization uses to identify potential gaps in their security system and non-conformities. It is used to identify and evaluate existing and potential vulnerabilities that can negatively impact the organization’s controls. This is an essential criteria in SOC 2, and the lack of a robust risk assessment…
Learn More Risk Assessment

Risk Mitigation

Risk mitigation in SOC 2 refers to the strategies and controls that a service organization implements to minimize security threats and risks to customer data. These strategies and controls can include implementing strong access controls and security protocols, regularly testing and updating the organization’s systems, and implementing robust incident response and disaster recovery processes.  By…
Learn More Risk Mitigation

SAS 70

SAS 70 is a standard developed by the American Institute of Certified Public Accountants (AICPA) to evaluate the security controls of service organizations. It guides them and their auditors to demonstrate the effectiveness of their controls to their clients and their clients’ auditors. SAS 70 is currently replaced by the Statement on Standards for Attestation…
Learn More SAS 70

Security

Security is one of the five trust service criteria of SOC 2. It refers to the protection of information and systems from unauthorized disclosure of information or damages to systems that may result in compromised availability, integrity, confidentiality, and privacy in a way that affects the capacity of the organization to meet its objectives. It seeks…
Learn More Security

Service Auditor

A SOC 2 auditor is a AICPA-certified professional who evaluates the system and controls that a service organization implements to meet the requirements of SOC 2 trust principles. After assessing and observing the controls, they will create a report based on the findings.  This report demonstrates that your business has sufficient controls and processes to…
Learn More Service Auditor

Service Organization

A service organization refers to a business providing service to their customers instead of physical goods. These services may include various business utilities like consulting, legal, insurance, banking, education, etc.  A service organization that stores, processes, or manages sensitive customer information must have sufficient controls and processes to secure this data.
Learn More Service Organization

SOC 1

SOC 1 is a type of audit that assesses a service organization’s controls relevant to its clients’ financial reporting. The purpose of a SOC 1 audit is to evaluate the controls at a service organization that is relevant to the financial reporting of its clients and provide assurance on the operational efficiency of these controls. …
Learn More SOC 1

SOC 2

SOC 2 is a type of audit that assesses the controls of a service organization relevant to the security, availability, processing integrity, confidentiality, and privacy of the service organization’s systems. The purpose is to evaluate the controls pertinent to these five trust services criteria and assure that the controls operate effectively. The service organization’s clients…
Learn More SOC 2

SOC 2 Auditor

A SOC 2 auditor is a professional who has been trained and certified to assess an organization’s compliance with the AICPA’s (American Institute of Certified Public Accountants) Service Organization Control (SOC) 2 standard. A SOC 2 audit involves an in-depth examination of an organization’s systems, processes, and controls, as well as a review of the…
Learn More SOC 2 Auditor

SOC 2 Controls Efficiency

SOC 2 Controls Efficiency is a process used to assess if the security measures you have in place in your business environment are doing their job like it’s supposed to. For example, you have a secure vault storing all your important documents and valuables. To keep it safe, you have a security system with multiple…
Learn More SOC 2 Controls Efficiency

SOC 2 Entity-Level Mapping

SOC 2 entity-level mapping ensures that all parts of your company’s data and systems are well-connected and secure. It’s similar to securing a huge 14-bedroom mansion, where you want to protect each room with a unique key and ensure no intruders can enter. Here, the unique key to each room keeps people out. And just…
Learn More SOC 2 Entity-Level Mapping

SOC 2 Section 3

SOC 2 Section 3, also known as the “system description,” is a requirement of the SOC 2 standard. The system description, which is included in Section III of a SOC 2 report, provides important details about the personnel, processes, and technology that support your product or service. It is a summary of your organization and…
Learn More SOC 2 Section 3

SOC 2 Type 1 Report

A SOC 2 Type 1 report assesses an organization’s controls at a certain point in time. It provides information on the design and implementation of the controls in place to protect the security, privacy, and confidentiality of sensitive customer data. An example of a SOC 2 Type 1 report might include an assessment of an…
Learn More SOC 2 Type 1 Report

SOC 2 Type 2 Report

A SOC 2 Type 2 report is an assessment of an organization’s controls over a period of time, typically six months to a year. It provides information on the design and operating effectiveness of the controls in place to protect the security, privacy, and confidentiality of sensitive customer data. The report would also include information…
Learn More SOC 2 Type 2 Report

SOC 3

A SOC 3 report summarizes the controls a service organization has in place to protect the security, availability, processing integrity, confidentiality, and privacy of the services it provides. It’s based on the SSAE 18 standard and is similar to a SOC 2 report but doesn’t contain as much detail about the system and services. This…
Learn More SOC 3

SOC Reports

SOC reports, or Service Organization Control reports, are a type of assurance report that organizations can obtain to assure the controls they have in place related to a service they offer. There are 3 types of SOC reports – SOC 1, SOC 2, and SOC 3. SOC 1 reports relate to controls relevant to user…
Learn More SOC Reports

SSAE

Statement on Standards for Attestation Engagements (SSAE) is a professional standards document that guides practitioners on performing attestation engagements. Attestation engagements are engagements in which a practitioner expresses a conclusion about the reliability of a written assertion made by another party. The SSAE is issued by the Auditing Standards Board (ASB) of the American Institute…
Learn More SSAE

SSAE 18

SSAE 18 is a set of updates to the SOC (Service Organization Control) report standards, replacing the previous version, SSAE 16, and the older SAS 70 report. These enhancements aim to improve the quality and usefulness of SOC reports. With these updates, companies will be required to take more responsibility for identifying and categorizing risks…
Learn More SSAE 18

SSAE16

SSAE 16, or the Statement on Standards for Attestation Engagements No. 16, is a set of guidelines and auditing standards published by the Auditing Standards Board of the American Institute of Certified Public Accountants. It provides guidance on how service companies can report on the compliance controls they have in place, and has been updated…
Learn More SSAE16

TSC

The Trust Service Criteria (TSC) are the specific criteria that must be met in order for a service organization to achieve compliance with SOC 2. The TSC are divided into five categories: security, availability, processing integrity, confidentiality, and privacy. Within each category, there are specific controls and requirements that must be implemented and maintained in…
Learn More TSC

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

AICPA

The American Institute of Certified Public Accountants (AICPA) is a professional organization representing certified public accountants in the United States. It was founded in 1887 and has more than 428,000 members currently. The AICPA sets accounting and auditing standards for the profession, provides education and training, and advocates for its members. It also offers certifications…
Jun 20, 2023