SOC 2 Glossary

Service Organization Control 2 - An auditing procedure that ensures service companies securely manage data to protect the interests of their organization and client data.

A framework developed by the AICPA that defines criteria for evaluating controls at service organizations.

An audit report that evaluates the design of controls at a specific point in time.

An audit report that evaluates both the design and operating effectiveness of controls over a period of time.

Protection against unauthorized access to systems, applications, and data.

The accessibility of systems, applications, and data for operation and use as committed or agreed.

System processing that is complete, valid, accurate, timely, and authorized.

Information designated as confidential is protected as committed or agreed.

Personal information is collected, used, retained, disclosed, and disposed of in conformity with privacy commitments.

Control criteria that relate to all five trust service categories and form the foundation of SOC 2 audits.

An entity that provides services to user entities where those services are part of the user entities' information systems.

An entity that uses a service organization and whose financial statements are being audited.

A deficiency in the design or operation of a control that does not allow management to prevent or detect misstatements.

A deficiency or combination of deficiencies in internal control that is of such magnitude that there is a reasonable possibility of material noncompliance.

Controls that user entities should implement to complement the service organization's controls.

Policies and procedures that help ensure management directives are carried out.

The identification and analysis of relevant risks to achievement of objectives.

Authorized simulated attacks on computer systems to evaluate security.

The process of converting information into a coded format to prevent unauthorized access.

Security measures that regulate who can view or use resources in a computing environment.

Organized approach to addressing and managing security breaches or cyber attacks.

Process of controlling modifications to systems, applications, and infrastructure.

Process of evaluating, selecting, and overseeing third-party service providers.

Planning and preparation to ensure critical business functions can continue during and after a disaster.

Ongoing evaluation of the performance and effectiveness of controls.

Process of organizing data by relevant categories so it can be used and protected more efficiently.

Access to computer systems, applications, and data through software-based controls.

Access to physical locations where systems and data are housed.

Document prepared by management that describes the service organization's system.

Controls that user entities should implement to complement service organization controls.

The foundation for all other components of internal control, providing discipline and structure.

A service organization used by another service organization to perform some services.

Audit approach where subservice organization controls are excluded from the service auditor's testing.

Audit approach where subservice organization controls are included in the service auditor's testing.

Letter that extends the period covered by a SOC 2 report without performing a full audit.

Instance where a control did not operate as designed during the audit period.

Process of selecting a subset of items from a population for testing.

Procedure where the auditor traces a transaction from origination through the system.

Process of defining what systems, applications, and processes are included in the SOC 2 audit.

Preliminary evaluation to determine an organization's preparedness for a SOC 2 audit.