SOC Terminology Glossary

Last Updated: November 18, 2025

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

AICPA (American Institute of Certified Public Accountants): The national professional organization for CPAs in the United States that establishes auditing standards including those for SOC reports.
Assertion: Management's written statement regarding the fairness of the system description and the suitability of design and operating effectiveness of controls.
Attestation Engagement: An examination in which a practitioner issues a report about subject matter or an assertion that is the responsibility of another party.
AT-C Section 320: The attestation standard for reporting on an examination of controls at a service organization relevant to user entities' internal control over financial reporting.
AU-C Section 402: The auditing standard that addresses the user auditor's responsibility when a user entity uses a service organization.
Availability: One of the five Trust Service Criteria; refers to the system being available for operation and use as committed or agreed.

B

Boundary of the System: The scope of the services, infrastructure, software, people, procedures, and data included in the SOC report.
Bridge Letter: A communication from the service organization or service auditor that provides information about changes or events occurring after the report period but before issuance.

C

Carve-Out Method: An approach where the services and controls of a subservice organization are excluded from the scope and description of the service organization's system.
Compensating Control: An alternative control that mitigates the risk addressed by a control that has an identified exception or deficiency.
Complementary User Entity Controls (CUECs): Controls that the service organization assumes, in the design of its service, will be implemented by user entities and are necessary to achieve control objectives.
Confidentiality: One of the five Trust Service Criteria; information designated as confidential is protected as committed or agreed.
Control Activity: The specific policies and procedures established to achieve control objectives.
Control Deficiency: A design or operating weakness that prevents a control from achieving its stated objective.
Control Environment: The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
Control Objective: A statement of the desired result or purpose to be achieved by implementing control activities.
COSO Framework: The Committee of Sponsoring Organizations' Internal Control - Integrated Framework, a widely accepted model for evaluating internal controls.
CPA (Certified Public Accountant): A licensed accounting professional who can perform SOC examinations and issue attestation reports.

D

Detective Control: A control designed to discover errors or irregularities after they have occurred, such as reconciliations or monitoring activities.
Design Effectiveness: The assessment of whether a control, if operated as designed, would be capable of achieving its stated objective.

E

Exception: A specific instance identified during testing where a control did not operate as designed or a deviation from expected results occurred.
Examination Engagement: An attestation engagement in which the practitioner obtains reasonable assurance by obtaining sufficient appropriate evidence about the subject matter.

F

Financial Statement Assertions: Representations by management embodied in financial statements: existence, completeness, valuation, rights and obligations, and presentation and disclosure.

G

GAAS (Generally Accepted Auditing Standards): A set of systematic guidelines used by auditors when conducting audits on companies' finances.

I

IAASB (International Auditing and Assurance Standards Board): The independent standard-setting body that develops international standards for auditing, including ISAE 3402.
Inclusive Method: An approach where the services and controls of a subservice organization are included in the service organization's description and scope of the examination.
Inquiry: A testing procedure that involves seeking information from knowledgeable persons about control procedures.
Inspection: Examination of records, documents, or tangible assets to obtain audit evidence about control operation.
ISAE 3402: International Standard on Assurance Engagements 3402, the international equivalent of SSAE 18 for SOC reports.

M

Management Assertion: A written statement by management regarding the fairness of the presentation of the description and the suitability of the design and operating effectiveness of controls.
Modified Opinion: A qualified or adverse opinion issued when there are significant deficiencies or when the service auditor cannot obtain sufficient evidence.

O

Observation: A testing procedure that involves watching a process or procedure being performed by others.
Operating Effectiveness: The assessment of whether controls operated as designed and whether the person performing the control possesses the necessary authority and competence.

P

PCAOB (Public Company Accounting Oversight Board): A nonprofit organization that oversees the audits of public companies and broker-dealers.
Preventive Control: A control designed to prevent errors or irregularities from occurring, such as authorization requirements or segregation of duties.
Privacy: One of the five Trust Service Criteria; personal information is collected, used, retained, disclosed, and disposed of in conformity with privacy commitments.
Processing Integrity: One of the five Trust Service Criteria; system processing is complete, valid, accurate, timely, and authorized.

R

Reasonable Assurance: A high, but not absolute, level of assurance that controls are operating effectively and meet stated objectives.
Re-performance: The auditor's independent execution of procedures or controls to verify that they produce the expected results.
Report Period: The time period during which the service auditor tests the operating effectiveness of controls (for Type II reports).
Review Period: See Report Period. The period covered by a Type II SOC report, typically 6-12 months.
Risk Assessment: The process of identifying and analyzing relevant risks to the achievement of objectives.

S

Sample Size: The number of items selected from a population for testing to obtain evidence about control operating effectiveness.
Scope: The boundary of the services, systems, and controls included in the SOC report examination.
Security: One of the five Trust Service Criteria (required for SOC 2); protection against unauthorized access to the system.
Segregation of Duties: A key control principle where responsibilities are divided among different people to reduce the risk of error or fraud.
Service Auditor: The independent CPA or CPA firm that performs the SOC examination and issues the attestation report.
Service Organization: An organization that provides services to user entities that are likely relevant to those user entities' internal control over financial reporting.
SOC 1 (Service Organization Control 1): A report on controls at a service organization relevant to user entities' internal control over financial reporting.
SOC 2 (Service Organization Control 2): A report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC 3: A general-use report based on SOC 2 that can be freely distributed to the public, containing only the service auditor's opinion without detailed testing results.
SOX (Sarbanes-Oxley Act): A U.S. federal law that established new requirements for all public company boards, management, and public accounting firms.
SSAE 18 (Statement on Standards for Attestation Engagements No. 18): The U.S. attestation standard that governs SOC 1 examinations; replaced SSAE 16 in 2017.
Subservice Organization: A service organization used by another service organization (the user service organization) to perform some of the services provided to user entities.
Substantive Testing: Audit procedures designed to detect material misstatements in account balances and transactions.
System Description: A written presentation prepared by management that describes the service organization's system and controls.

T

Test of Controls: Audit procedures designed to evaluate the operating effectiveness of controls in preventing or detecting material misstatements.
Trust Service Criteria (TSC): The five criteria used in SOC 2 examinations: security, availability, processing integrity, confidentiality, and privacy.
TSP Section 100: The attestation standard section that provides the framework for SOC 2 examinations based on Trust Service Criteria.
Type I Report: A SOC report that evaluates the design of controls at a specific point in time without testing operating effectiveness.
Type II Report: A SOC report that evaluates both the design and operating effectiveness of controls over a specified period of time (typically 6-12 months).

U

Unqualified Opinion: A clean opinion issued when the service auditor concludes that controls were suitably designed and operating effectively, with any exceptions disclosed in the test results.
User Auditor: The auditor who audits and reports on the financial statements of a user entity.
User Entity: An entity that uses a service organization and whose financial statements are being audited.

W

Walkthrough: A procedure where the auditor traces a transaction from inception through the organization's processes and information systems to understand control design.

Simplify SOC Report Analysis

SOC Review automatically extracts and organizes all the terminology and information from SOC reports, making complex audits faster and more accurate.

Start Free Review View Pricing

Related Resources

SOC 1 Type II Guide

Complete guide to understanding and reviewing SOC 1 reports

SOC Report FAQ

50+ common questions about SOC reports answered by experts

SOC 1 vs SOC 2

Detailed comparison and decision framework