SOC 2 & Compliance Glossary

A

AICPA

The American Institute of Certified Public Accountants. The professional organization that establishes auditing and attestation standards in the United States, including the standards governing SOC 1, SOC 2, and SOC 3 examinations.

Attestation

An engagement in which a CPA firm examines and reports on subject matter (such as an organization's controls) against established criteria. SOC 2 is an attestation engagement performed under SSAE 18 standards.

Availability

One of the five Trust Services Criteria. Availability addresses whether the system is operational and usable as committed or agreed upon. Controls include disaster recovery, business continuity, incident management, and capacity planning.

B

Bridge Letter

A written representation from management covering the period between the end date of the most recent SOC 2 report and the current date. Bridge letters assure relying parties that no material changes have occurred to the control environment since the last report was issued.

C

CCPA

The California Consumer Privacy Act. A state privacy law granting California residents rights over their personal information, including the right to know, delete, and opt out of the sale of personal data. While distinct from SOC 2, organizations may address CCPA requirements through the Privacy Trust Services Criteria.

Common Criteria

The set of criteria within the Trust Services Criteria that apply to every SOC 2 engagement. Common Criteria address control environment, communication and information, risk assessment, monitoring activities, and control activities — the foundational elements of any control framework.

CUECs (Complementary User Entity Controls)

Controls that a service organization assumes its customers (user entities) will implement. CUECs are listed in the SOC 2 report and represent shared security responsibilities. For example, a SaaS provider may assume that customers enforce MFA on their user accounts.

Confidentiality

One of the five Trust Services Criteria. Confidentiality addresses the protection of information designated as confidential, including intellectual property, business plans, and data shared under NDA. Controls include access restrictions, encryption, and data classification.

Control Activity

A specific policy, procedure, or technical mechanism designed to mitigate a risk. Examples include access reviews, change management approvals, encryption enforcement, and vulnerability scanning. In a SOC 2 audit, auditors test whether control activities are suitably designed and operating effectively.

Control Environment

The organizational foundation that supports internal controls. This includes governance structures, management philosophy, organizational structure, assignment of authority and responsibility, and commitment to competence and accountability. The control environment sets the tone for the entire organization's approach to security and compliance.

CPA (Certified Public Accountant)

A professional designation granted by state boards of accountancy. Only licensed CPA firms can perform SOC 2 audits and issue attestation reports under AICPA standards.

G

GDPR (General Data Protection Regulation)

The European Union's comprehensive data protection regulation governing the collection, processing, and storage of personal data of EU residents. While separate from SOC 2, organizations handling EU data often address GDPR alongside SOC 2. Learn more about GDPR audits.

H

HIPAA (Health Insurance Portability and Accountability Act)

A US federal law establishing standards for protecting sensitive patient health information (PHI). Organizations handling PHI may pursue both HIPAA compliance and SOC 2 to address different regulatory and customer requirements. Learn more about HIPAA audits.

I

ISAE 3000

International Standard on Assurance Engagements 3000. The international equivalent of SSAE 18, issued by the International Auditing and Assurance Standards Board (IAASB). Used for non-financial assurance engagements outside the United States. Learn more about ISAE 3000.

ISAE 3402

International Standard on Assurance Engagements 3402. The international standard for reporting on controls at a service organization, analogous to SOC 1 in the United States. Commonly used by organizations serving international clients. Learn more about ISAE 3402.

M

Management Assertion

A written statement from the service organization's management included in the SOC 2 report. The assertion confirms that the system description is accurate, that controls are suitably designed, and (for Type II) that controls operated effectively during the observation period.

O

Observation Period

The time window during which a service auditor tests the operating effectiveness of controls in a Type II engagement. Observation periods typically range from 3 to 12 months, with 6 and 12 months being the most common.

P

Penetration Test

A controlled, authorized attempt to exploit vulnerabilities in a system. While not required by SOC 2, penetration testing is commonly performed as part of a mature security program and provides evidence supporting Security criteria controls. Penetration testing is performed by security specialists, not by the SOC 2 auditor.

Privacy

One of the five Trust Services Criteria. Privacy addresses the collection, use, retention, disclosure, and disposal of personal information in conformity with the organization's privacy notice and applicable regulations. It is the only criteria that references specific regulatory frameworks.

Processing Integrity

One of the five Trust Services Criteria. Processing Integrity addresses whether system processing is complete, valid, accurate, timely, and authorized. Controls include input validation, error handling, reconciliation, and quality assurance procedures.

Q

Qualified Opinion

An auditor's opinion indicating that controls are suitably designed and operating effectively, except for one or more specific deficiencies. A qualified opinion is a negative finding — it means the auditor identified material exceptions. Compare with unqualified opinion.

R

Readiness Assessment

A pre-audit evaluation performed by a CPA firm to identify gaps in an organization's control environment before the formal SOC 2 examination begins. A readiness assessment helps organizations remediate issues and avoid surprises during the audit. It is advisory in nature and does not result in a SOC 2 report.

Risk Assessment

The process of identifying and evaluating risks that could affect the achievement of the organization's objectives. In SOC 2, risk assessment is a Common Criteria requirement — organizations must demonstrate a formal process for identifying, analyzing, and managing risks to the security and availability of their systems.

S

Security

The foundational Trust Services Criteria category, required in every SOC 2 engagement. Security (also known as the Common Criteria) addresses protection against unauthorized access, both physical and logical. It encompasses the control environment, risk management, monitoring, and all baseline security controls.

Service Auditor

The CPA firm engaged to examine and report on a service organization's controls. The service auditor performs testing, evaluates evidence, and issues the SOC 2 report containing their independent opinion.

Service Organization

An organization that provides services to other entities (user entities) and whose controls over those services are relevant to the user entities' internal controls. In SOC 2, the service organization is the company being audited.

SOC 1

A report on controls at a service organization relevant to user entities' internal control over financial reporting. SOC 1 is governed by SSAE 18 and is used when the service organization's processing affects its clients' financial statements. Learn more about SOC 1.

SOC 2

A report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy. SOC 2 is the most widely requested compliance report for technology and SaaS companies. It is governed by SSAE 18 and evaluated against the Trust Services Criteria. Learn more about SOC 2.

SOC 3

A general-use report based on the same Trust Services Criteria as SOC 2, but designed for public distribution. SOC 3 reports contain the auditor's opinion without the detailed control descriptions and test results included in SOC 2. Learn more about SOC 3.

SSAE 18

Statement on Standards for Attestation Engagements No. 18. The AICPA professional standard governing attestation engagements, including SOC 1 and SOC 2 examinations. SSAE 18 replaced SSAE 16 in 2017 and establishes requirements for planning, performing, and reporting on attestation engagements.

Subservice Organization

A third-party organization used by the service organization to perform services that are part of the system being audited. Common subservice organizations include cloud infrastructure providers (AWS, GCP, Azure), data center operators, and managed service providers. The service organization must disclose subservice organizations in their SOC 2 report.

T

Trust Services Criteria (TSC)

The framework developed by the AICPA against which SOC 2 controls are evaluated. The five categories are: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Organizations select which criteria to include based on their services and customer commitments.

Type I Report

A SOC 2 report that evaluates the design and implementation of controls at a specific point in time. Type I reports confirm that controls are suitably designed but do not test whether they operated effectively over a period. Often used as a stepping stone to a Type II report.

Type II Report

A SOC 2 report that evaluates both the design and operating effectiveness of controls over a defined observation period (typically 3-12 months). Type II reports are the standard expectation for mature organizations and provide stronger assurance than Type I reports.

U

Unqualified Opinion

An auditor's opinion indicating that controls are suitably designed and (for Type II) operating effectively, without any material exceptions. An unqualified opinion is the desired outcome of a SOC 2 audit — it means the auditor found no significant deficiencies. Also referred to as a "clean" opinion.

User Entity

An organization that uses the services of a service organization. In SOC 2, user entities are the customers of the company being audited. User entities and their auditors are the primary audience for SOC 2 reports.