It is easy to feel overwhelmed by all of the audit terms and definitions. Here is a list of frequently used audit terminology and their meanings:
AICPA: American Institute of CPAs; the governing body for SOC 1 and SOC 2 audits responsible for establishing the relevant audit standards and guidance.
Adverse Opinion – Indicates serious problems with the audit, including that the organization has failed to achieve the compliance standard that was audited.
Audit Evidence: Evidence obtained during an audit that is used for audit testing.
Audit Report: Report issued by the auditor summarizing the audit scope, audit testing, and results of testing.
Audit Testing: Tests performed to form conclusions on the design and operating effectiveness of controls.
Auditor’s Opinion: Statement recorded in the final report by the auditor based on an evaluation of the audit evidence obtained. The auditor’s opinion will be one of the following four types: Unqualified Opinion, Qualified Opinion, Disclaimer of Opinion, or Adverse Opinion.
Auditor’s Reliance on the Work of Others: Auditors may be able to rely on other auditors’ work and testing in lieu of their own after they perform procedures on the work to determine its applicability, relevancy, and adequacy.
Bridge Letter: A letter the service organization can provide that covers the “gap” between the report date and another date; can be used instead of waiting for the next report.
Carve Out Report: This type of report includes the service organization’s description of its “system” which includes the services performed by a subservice organization but excludes the control objectives and related controls of the service organization.
Client Control Considerations: This section of the SOC report includes controls that the user organization rather than the service organization would be responsible for such as “Clients are responsible for ensuring their users with access to the system are authorized.” In this example, a service organization does not know when a user organization’s employees terminate or no longer require access. A client control consideration similar to the one mentioned lets the user organization know that the responsibility for managing their user’s access resides with them and not the service organization.
CMMC: Cybersecurity Maturity Model Certification, which is aligned with the Department of Defense’s information security requirements for Defense Industrial Base partners.
Control Objectives: A series of statements put forth by an organization that addresses risks, for which these risks are to be effectively mitigated with supporting processes, procedures, policies, and related activities that are in place within the organization’s control environment.
Control Activities (Controls): A specific set of policies, procedures, and activities designed to meet an objective.
CSP (Cloud Service Providers): a company that offers cloud computing services for infrastructure, applications, and/or storage.
Description of Services: Section III of a SOC report that describes the service organization’s system or the services that the service organization provides.
Deviation: An exception to a control/process. Also referred to as an exception or a finding. Deviations identified by the auditor are typically disclosed in the audit report.
Disclaimer of Opinion: An opinion issued when the auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion.
Electronic Personal Health Information (ePHI): Personal health information (in an electronic or digital format) about an individual; e.g., the details of an individual’s past, present, or future physical or mental health condition(s).
Examination Period: The length of time covered by the examination in a Type II audit. Usually 6 – 18 months.
External Auditor: An independent third party responsible for inspecting clients’ systems and internal control processes and expressing an opinion as to whether internal controls are presented fairly in accordance with the applicable criteria subjected to the audit.
FedRAMP: Federal Risk and Authorization Management Program; the compliance framework for cloud service providers that want to provide their services to the federal government.
HIPAA: Health Insurance Portability and Accountability Act of 1996 – the compliance framework for health plans, healthcare clearinghouses, and any healthcare provider who transmits health information in electronic form in connection with a transaction for which the Secretary of Health and Human Services (HHS) has adopted standards under HIPAA (the ‘covered entities’) and to their business associates.
HITECH: Health Information Technology for Economic and Clinical Health Act – another healthcare regulation addressing the privacy and security considerations associated with the transmission of electronic personal health information (ePHI).
HITRUST: An industry-agnostic certification based on over 35 industry-standard frameworks that include industry best practices and tailored controls based on a company’s services, organization, and industry.
ICFR: Internal controls over financial reporting.
Inclusive Report: The service organization’s description of its “system” includes services performed by subservice organizations in addition to their own and also includes the control objectives and related controls of the subservice organization within the audit report.
Information Provided by the Entity (IPE): Evidence for the audit that is generated by the entity and used by the auditors to test a control.
Information Used by the “Company or Entity” (IUC): Evidence that is used by the Company/Entity, in order to perform or execute their internal controls.
Initial Request List: The list of initial client requests to support the audit.
Internal Auditor: Either an individual or department or a contracted third-party tasked with providing unbiased, independent reviews of systems, business organizations, and processes. A different party than the external auditor.
IEC: International Electrotechnical Commission; a global, not-for-profit membership organization that brings together more than 170 countries and coordinates the work of 20000 experts globally.
ISMS: Information security management system.
ISO: International Organization for Standardization; an international standard development organization composed of representatives from the national standards organizations of member countries.
ISO/IEC 27001: Specifies the requirements for establishing an ISMS, and ISO/IEC 27002 provides the detailed best practices and controls that can be applied within the ISMS.
ISO 27002: Provides best practice recommendations for companies looking to achieve ISO/IEC 27001 certification.
Letter of Representation (LOR): A letter issued by an auditor’s client to the auditor in writing as audit evidence. The letter is used by client management to declare in writing that the financial statements and other presentations to the auditor during the audit are sufficient and appropriate and without omission of material facts, to the best of the client’s knowledge.
Management Assertion: Management of the service organization provides the auditor with a written audit assertion that essentially “asserts” to a number of clauses and provisions for purposes of SSAE 16 compliance.
NIST: National Institute for Standards and Technology; government agency responsible for establishing technology standards used in certain compliance frameworks, including FedRAMP and CMMC.
NIST 800-171: Assessment for organizations that interact with sensitive data, in support of programs that interact either directly or indirectly with the federal government and Department of Defense.
Qualified Opinion: Not necessarily negative, but may indicate a limited scope of examination or that the auditor was unable to directly verify certain information. Also, sometimes referred to affectionately as a Q-bomb.
Penetration Testing: A security exercise where a cybersecurity professional attempts to find and exploit vulnerabilities in a computer system. A common requirement in most compliance frameworks.
Points of Focus: Suggested manner in which a criteria can be achieved; similar to a control activity.
Provided by Client (PBC) List: List of audit evidence requested by the auditor and provided by the entity being audited.
Results of Tests: Results of controls testing used to validate the design or operating effectiveness of internal controls.
Risks: Threats to business operations or the achievement of control objectives.
Service Auditor: The auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control as it relates to an audit.
Service Organization: The entity (or segment of an entity) that provides services to a user organization that is part of the user organization’s information system.
Subservice Organization: Vendors used by the service organization that are material to service delivery and are responsible for supporting the service organization’s controls.
SOC: Service Organization Control. There are three types: SOC 1 (formerly SSAE 16), SOC 2, and SOC 3.
SOC 1: Audits intended for service organizations providing services related to their clients’ internal controls over financial reporting (ICFR).
SOC 2: An independent audit of a service organization’s compliance with one or more of the SOC 2 Trust Services Principles and Criteria which are Security, Availability, Confidentiality, Processing Integrity, and Privacy.
SOC 3: A summarized version of a SOC 2 report that can be more freely distributed. The report includes just the auditor’s opinion, management’s assertion, and a description of the Company’s controls. The detailed tests of controls and results are omitted from a SOC 3 report.
SSAE: Statement on Standards for Attestation Engagements
Trust Services Criteria: A set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. The five criteria are: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Type I Report: A report on a description of a service organization’s system and the suitability of the design of control. The report is issued “as of” a point in time. Learn more about Type I vs Type II SOC Reports here.
Type II Report: A Type II report includes the service organization’s description of controls as well as detailed testing of the service organization’s controls over a minimum of a six-month period; the report is issued for the period that was audited.
Unqualified Opinion: Statement recorded in the final report that indicates the auditor’s endorsement of the accuracy and adequacy of the audit.
User Organization: An organization using the service of a service organization, also referred to as the users of the report (e.g., clients).
Need an Audit? Contact Us For a Free Consultation
Audit terminology is a language of its own. Acronyms are abundant and you may feel like you are drowning in “audit speak”. This guide is just a starting point, but as an experienced auditor, Linford & Company can help with these translations and lead your Company through the audit process. Please don’t hesitate to contact us to discuss your audit requirements and any other audit and compliance questions you may have.