It is easy to feel overwhelmed by all of the terminology surrounding an audit. Here is a list of frequently used terms and their meanings:
AICPA: American Institute of CPAs
Audit Evidence: Evidence obtained during an audit that is used for audit testing.
Audit Testing: Tests performed to form conclusions on the design and operating effectiveness of controls.
Auditor’s Opinion: Statement recorded in the final report by the auditor. It is of three major types: (1) Unqualified Opinion: indicates the auditor’s endorsement of the accuracy and adequacy of the audit, (2) Qualified Opinion: not necessarily negative, but may indicate a limited scope of examination or that the auditor was unable to directly verify certain information, and (3) Adverse Opinion: indicates serious problems with the audit.
Auditor’s Reliance on the Work of Others: Auditors may be able to rely on other auditor’s work and testing in lieu of their own after they perform procedures on the work to determine its applicability, relevancy, and adequacy.
Bridge Letter: A letter the service organization can provide that covers the “gap” between the report date and another date; can be used instead of waiting for the next report.
Carve Out Report: This type of report includes the service organization’s description of its “system” which includes the services performed by a subservice organization, but excludes the control objectives and related controls of the service organization.
Client Control Considerations: This section of the SOC report includes controls which the user organization rather than the service organization would be responsible for such as “Clients are responsible for ensuring their users with access to the system are authorized.” In this example, a service organization does not know when a user organization’s employees terminate or no longer require access. A client control consideration similar to the one mentioned lets the user organization know that the responsibility for managing their user’s access resides with them and not the service organization.
Control Objectives: A series of statements put forth by an organization that address risks, for which these risks are to be effectively mitigated with supporting processes, procedures, policies, and related activities that are in place within the organization’s control environment.
Controls: A specific set of policies, procedures, and activities designed to meet an objective.
Description of Services: Section III of a SOC report that describes the service organization’s system or the services that the service organization provides.
Examination Period: The length of time covered by the examination in a Type II audit. Usually 6 – 18 months.
HIPAA: Health Insurance Portability and Accountability Act of 1996
HITECH: Health Information Technology for Economic and Clinical Health Act
Inclusive Report: The service organization’s description of its “system” includes services performed by subservice organizations in addition to their own and also includes the control objectives and related controls of the subservice organization within the audit report.
Initial Request List: The list of initial client requests to support the audit
Letter of Representation: A letter issued by an auditor’s client to the auditor in writing as audit evidence. The letter is used by client management to declare in writing that the financial statements and other presentations to the auditor during the audit are sufficient and appropriate and without omission of material facts, to the best of the client’s knowledge.
Management Assertion: Management of the service organization provides the auditor with a written assertion that essentially “asserts” to a number of clauses and provisions for purposes of SSAE 16 compliance.
Qualified Opinion: Not necessarily negative, but may indicate a limited scope of examination or that the auditor was unable to directly verify certain information. Also, sometimes referred to affectionately as a Q-bomb.
Results of Tests: Results of controls testing used to validate the design or operating effectiveness of internal controls.
Risks: Threats to business operations or the achievement of control objectives.
Service Auditor: The auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control as it relates to an audit.
Service Organization: The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.
SOC: Service Organization Control (three types: SOC 1 (formerly SSAE 16), SOC 2, SOC 3)
SSAE: Statement on Standards for Attestation Engagements
Trust Services Principles and Criteria: A set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. The five principles are: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Type I Report: A report on a description of a service organization’s system and the suitability of the design of control.
Type II Report: A Type II report includes the service organization’s description of controls as well as detailed testing of the service organization’s controls over a minimum of a six month period.
Unqualified Opinion: Statement recorded in the final report that indicates the auditor’s endorsement of the accuracy and adequacy of the audit.
User Organization: An organization using the service of a service organization.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.