So Many Terms…What Do They All Mean?

It is easy to feel overwhelmed by all of the terminology surrounding an audit. Here is a list of frequently used terms and their meanings:

AICPA: American Institute of CPAs

Audit Evidence: Evidence obtained during an audit that is used for audit testing.

Audit Testing: Tests performed to form conclusions on the design and operating effectiveness of controls.

Auditor’s Opinion: Statement recorded in the final report by the auditor. It is of three major types: (1) Unqualified Opinion: indicates the auditor’s endorsement of the accuracy and adequacy of the audit, (2) Qualified Opinion: not necessarily negative, but may indicate a limited scope of examination or that the auditor was unable to directly verify certain information, and (3) Adverse Opinion: indicates serious problems with the audit.

Auditor’s Reliance on the Work of Others: Auditors may be able to rely on other auditor’s work and testing in lieu of their own after they perform procedures on the work to determine its applicability, relevancy, and adequacy.

Bridge Letter: A letter the service organization can provide that covers the “gap” between the report date and another date; can be used instead of waiting for the next report.

Carve Out Report: This type of report includes the service organization’s description of its “system” which includes the services performed by a subservice organization, but excludes the control objectives and related controls of the service organization.

Client Control Considerations: This section of the SOC report includes controls which the user organization rather than the service organization would be responsible for such as “Clients are responsible for ensuring their users with access to the system are authorized.” In this example, a service organization does not know when a user organization’s employees terminate or no longer require access. A client control consideration similar to the one mentioned lets the user organization know that the responsibility for managing their user’s access resides with them and not the service organization.

Control Objectives: A series of statements put forth by an organization that address risks, for which these risks are to be effectively mitigated with supporting processes, procedures, policies, and related activities that are in place within the organization’s control environment.

Controls: A specific set of policies, procedures, and activities designed to meet an objective.
Description of Services: Section III of a SOC report that describes the service organization’s system or the services that the service organization provides.

Examination Period: The length of time covered by the examination in a Type II audit. Usually 6 – 18 months.

HIPAA: Health Insurance Portability and Accountability Act of 1996

HITECH: Health Information Technology for Economic and Clinical Health Act

Inclusive Report: The service organization’s description of its “system” includes services performed by subservice organizations in addition to their own and also includes the control objectives and related controls of the subservice organization within the audit report.

Initial Request List: The list of initial client requests to support the audit

Letter of Representation:  A letter issued by an auditor’s client to the auditor in writing as audit evidence. The letter is used by client management to declare in writing that the financial statements and other presentations to the auditor during the audit are sufficient and appropriate and without omission of material facts, to the best of the client’s knowledge.

Management Assertion: Management of the service organization provides the auditor with a written assertion that essentially “asserts” to a number of clauses and provisions for purposes of SSAE 16 compliance.

Qualified Opinion: Not necessarily negative, but may indicate a limited scope of examination or that the auditor was unable to directly verify certain information. Also, sometimes referred to affectionately as a Q-bomb.

Results of Tests: Results of controls testing used to validate the design or operating effectiveness of internal controls.

Risks: Threats to business operations or the achievement of control objectives.

Service Auditor: The auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control as it relates to an audit.

Service Organization: The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.

SOC: Service Organization Control (three types: SOC 1 (formerly SSAE 16), SOC 2, SOC 3)

SSAE: Statement on Standards for Attestation Engagements

Trust Services Principles and Criteria: A set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. The five principles are: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Type I Report: A report on a description of a service organization’s system and the suitability of the design of control.

Type II Report: A Type II report includes the service organization’s description of controls as well as detailed testing of the service organization’s controls over a minimum of a six month period.

Unqualified Opinion: Statement recorded in the final report that indicates the auditor’s endorsement of the accuracy and adequacy of the audit.

User Organization: An organization using the service of a service organization.