SOC glossary.
Plain-language definitions for SOC and compliance terminology.
- Attestation
- A formal statement or assertion by a CPA firm about the subject matter being examined, issued under professional standards.
- Availability
- One of the five Trust Services Criteria categories. Addresses whether the system is available for operation and use as committed.
- Confidentiality
- One of the five Trust Services Criteria categories. Addresses protection of information designated as confidential.
- Control deficiency
- A condition where the design or operation of a control does not allow management or employees to prevent, or detect and correct, misstatements or exceptions on a timely basis.
- Exception
- An instance where a control did not operate as designed during the examination period. Exceptions are documented with context and remediation notes.
- ICFR
- Internal Control over Financial Reporting. The focus of SOC 1 examinations, relevant to service organizations whose controls affect customers' financial statements.
- Processing Integrity
- One of the five Trust Services Criteria categories. Addresses whether system processing is complete, valid, accurate, timely, and authorized.
- Privacy
- One of the five Trust Services Criteria categories. Addresses the collection, use, retention, disclosure, and disposal of personal information.
- Security
- The foundational Trust Services Criteria category (always included in SOC 2). Addresses protection against unauthorized access, both physical and logical.
- SOC 1
- A report on controls at a service organization relevant to user entities' internal control over financial reporting. Governed by SSAE 18.
- SOC 2
- A report on controls relevant to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy. Restricted-use; shared with specified parties.
- SOC 3
- A general-use report covering the same Trust Services Criteria as SOC 2 but with less detail. Can be freely distributed.
- SSAE 18
- Statement on Standards for Attestation Engagements No. 18. The AICPA's clarified attestation standards framework that governs SOC examinations.
- Trust Services Criteria (TSC)
- Control criteria established by the AICPA for use in SOC 2 and SOC 3 examinations, covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.
- Type I report
- An examination report that evaluates the design and implementation of controls at a specific point in time.
- Type II report
- An examination report that evaluates both the design and operating effectiveness of controls over a specified period (typically six months or more).