Glossary
AICPA: American Institute of Certified Public Accountants, an association of CPAs licensed to audit and report the accounting transactions of a business. The AICPA acts as a standard body for CPAs, setting forth standards and expectations for its members.
AICPA-Standards Board: The AICPA maintains a board of experienced accountants who define the standards of conduct for its members with regard to auditing and reporting on business transactions.
Assertion: The statement by the management of a service organization about the status of its data controls that is a description of the service organization’s system. The assertion describes the objectives of the control system, the suitability of the design of the controls, and the operating effectiveness of the controls in meeting the privacy and security requirements.
Attestation: This is the evaluation of the management’s description of the services and controls by the service auditor to determine whether the following categories determined by terms of the engagement are presented fairly and in detail to establish whether; a. the control objectives are reasonable, b. the controls identified were implemented, c. complementary user controls if included are adequate, and d. the services performed by any subservice organization are described were the inclusive or carve-out method, according to the requirements of SSAE 16. (Paragraph 19)
Attestation Engagement: Is the employment of a CPA or CPA.CITP as an independent service auditor to determine the suitability of the measurements and communications of the controls described by the management report and render an opinion on the fairness of the report.
Auditor-Internal: A CPA or CPA.CITP employed by a service organization to audit the sufficiency of the controls protecting data as described by the assertions of the management of the service organization in its description as to how the control system was designed and implemented.
Auditor–User: A CPA or a CPA.CITP employed by a user entity to evaluate the sufficiency of the controls of the user information technology.
Auditor-Service: An independent CPA or a CPA.CITP engaged by a service organization to provide an attestation of the management’s assertion as to whether the system controls meet the requirements of established by a Service Organizations Controls standards.
Auditor’s Attestation: An audit report by an independent CPA.CITP indicating the completeness and suitability of the management’s assertion as to whether the system controls meet the requirements of established by the Service Organizations Controls standards.
Availability: The auditor determines if the system is working properly and available for operation and use as committed or agreed.
Carve-out Method: The method used to address the services provided by a subservice organization. The method permits the management’s description of the service organization‘s system to identify the nature of the services perform by the subservice organization and excludes from the description and from the scope of the services auditor’s engagement the subservice organization’s relevant control objectives and related controls. In other words, the carve-out method allows the service auditor to exclude subservice organizations from the audit.
CITP: A Certified Information Technology Professional (CITP) is a CPA who is uniquely qualified to evaluate a company’s financial statements as well as their information technology systems. The CITP designation is awarded by the AICPA to CPAs with extensive experience in information technology. Combining a broad understanding of accounting and information technology, they are able to offer insights to businesses that a CPA or information technology professional auditing alone cannot offer.
CPA: An accountant that has been tested for qualifications and licensed by the state in which he is domiciled is a Certified Public Accountant (CPA), certified to audit the financial transactions of businesses and provide certified reports internally and to others.
Client: A user entity that utilizes a Service Organization’s data processing system to process the collection, processing, storage and reporting of its financial transactions.
Confidentiality: A confidentiality control limits access to data and to system controls to those authorized by management.
Consumer: A consumer is defined by The Financial Privacy Rule under the Gramm-Leach-Bliley Act’s, as “an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, or that individual’s legal representative.” (15 U.S.C. § 6809(9). In contrast to a customer, a consumer does not have an ongoing customer relationship with the financial institution.
Controls: Policies and procedures designed to insure that financial statements or other assertions by a company’s management are accurate.
Controls-Logical: Logical controls are controls on software components of an information system. These controls are designed to prevent unauthorized access to or exploitation of information technology systems.
Controls-Physical: Controls which are created to protect important information systems from unauthorized access to physical components of the system. These controls are intended to prevent unauthorized users from altering, damaging or accessing physical infrastructure associated with these systems.
Customer: A consumer who has a relationship with a financial institution that is governed by privacy rights protected under the Gramm–Leach-Bliley Act.
Data Center: Is a company offering a technology infrastructure for processing nonpublic, private data for financial institutions such as banks and others processing personal data.
Fair Credit Reporting Act: An act regulating credit agencies collection, storing and transmitting of personal and nonpublic data. All companies and agencies governed by the Fair Credit Reporting Act must comply with the terms of the Financial Privacy Rule that is part of the Gramm-Leach-Bliley Act, for the collection, processing, storage and reporting of personal and nonpublic data.
Financial Institutions: The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, (Public Law. No. 106-102) applies to financial institutions: defined as companies that offer financial products or services to individuals, such as loans, financial or investment advice, or insurance.
Financial Privacy Rule: A rule within the Gramm-Leach-Bliley Act that governs the collection, protection, and disclosure of a customers’ personal financial information by financial institutions and service organizations. The Financial Privacy Rule states that the law also applies to all companies, regardless of whether they are financial institutions, who receive such information. This means that any company that process personal nonpublic information must also be audited to determine if they have adequate controls in place. The Financial Privacy Rule provides for a written privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information. The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice to the consumer must explain the information collected about the consumer, where that information is shared, how that information is used, agree to give notice if changed and how that information is protected.
GAAP: This is an abbreviation of Generally Accepted Accounting Principles that are standards and guidelines established by the Financial Accounting Standards Board (FASB) an independent, self-regulatory board that describes and interprets generally accepted accounting principles. It operates under the principle that the economy and the financial services industry work smoothly when credible, concise, and clear financial information is available. FASB periodically revises the GAAP to make sure corporations are following its principles. The corporations are supposed to fully account for different kinds of income, avoid shifting income from one period to another, and properly categorize their income. Currently there are over 150 pronouncements defining how different types of transactions are to be recorded. The financial statements of companies reporting according to GAAP can be compared because the data is consistent by definition.
GAPP: This is an abbreviation of the Generally Accepted Privacy Principles adopted by AICPA and the Canadian Institute of Chartered Accountants (CICA) reflecting local, national, and international privacy regulations to provide guidance for auditing information technology systems to determine the adequacy of the privacy controls provided for in the system design. There are ten areas addressed by the privacy principles:
- Management
- Notice
- Choice and Consent
- Collections
- Use, Retention, Disposal
- Access
- Disclosure to third parties
- Security for privacy
- Quality
- Monitoring and Enforcement
Gamm-Leach-Bliley Act: This is an act passed by the U.S. Congress in November 12, 1999. It requires all financial institutions to design, implement, and maintain safe guards to protect nonpublic and private customer data.
Inclusive Method: A method used to describe the services provided by a subservice organization included within the management’s description of the service organization’s system. The management’s description of the subservice organization‘s system identifies the nature of the services perform by the subservice organization and includes a description of the scope of the service auditor’s engagement and the subservice organization’s relevant control objectives and related controls.
Information Technology: A term used to describe the electronic processing, control, storage and retrieval of data utilizing computer technology.
Management Report: At the time of engagement of a service auditor the management of a service organization or data center must provide to the service auditor an assertion about the status of its data controls describing the service organization’s system. The assertion describes the objectives of the control system, the suitability of the design of the controls, and the operating effectiveness of the controls in meeting the privacy and security requirements.
Practitioner: A practitioner is an independent CPA, CPA firm or a CPA.CITP.
Privacy of Data Security: The protection of personal information includes nonpublic information that is about or can be related to an identifiable individual is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA.
Processing Integrity: One of the five components of a SOC 2 audit, processing integrity ensures that data processing is conducted in a manner that preserves the integrity of the source data. The service auditor tests the system to determine if the processing is complete, accurate, timely, and authorized.
Readiness Assessment: A preliminary audit performed by a CPA or a CPA.CITP to determine the degree of compliance of the current data protection controls in place. These assessments are performed on a routine basis for Service Organizations that have never been audited or have relied on SAS 70 audits in the past. SAS 70 reports are no longer accepted under the new SOC requirements established by the AICPA’s Auditing Standards Board as dictated by federal law.
Responsible Party: The person or persons, either as individuals or representatives of the entity, responsible for the management assessment. (AT 101.14.11)
Safeguards Rule: A rule within the Gramm-Leach-Bliley Act that requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguard Rule applies not only to financial institutions that collect information from their customers, but also financial institutions such as credit reporting agencies, appraisers, mortgage brokers and others that collect and disclose customer information received from other financial institutions.
SAS 70: The Statement on Auditing Standard (SAS ) No. 70 was adopted by the American Institute of Certified Public Accountants around 1993. It was intended to establish a standard for the gathering of evidence on internal controls of a Service Organization (SO) associated with the delivery of services related to the controls of data for the preparation of financial reports that impact the accuracy of the financial reports. SAS 70 created an audit of internal controls over financial reporting (ICFR) and did not apply to privacy or security audits of Service Organizations Controls. (SOC) The audits were to be performed and reported on by independent CPAs other than the service user’s auditor. The standards of SAS 70 have been replaced by those of a SOC 1 Audit.
Service Organization: Is a company offering a technology infrastructure for processing nonpublic, private data for financial institutions such as banks and others processing personal data.
Service Organization Controls: There are three standards for Service Organization Controls (SOC) established by American Institute of Certified Accounting Professionals (AICPA) for determining the suitability of the system design and operating effectiveness of their information technology (IT) infrastructures; SOC 1, SOC 2, SOC 3.
SOC 1 AUDIT: A SOC 1 audit examines and test information technology (IT) infrastructures according to the Statement of Standards for Attestation Engagements, SSAE 16- Reporting on Controls at a Service Organization adopted April 2011.
SOC 1 TYPE 1 Report: The SOC 1 Type I reports on the accuracy and completeness of management’s description of the IT system or service as well as the suitability of the design of controls as of a specific date.
SOC 1 TYPE 2 Report: The SOC 1 Type 2 audit includes the Type 1 criteria and reports on the operating effectiveness of the controls throughout a time period up to one year.
SOC 2 AUDIT: The corresponding SOC 2 and SOC 3 audits which are not relevant to financial reporting are conducted in accordance with AT Section 101 and will utilize the recently released AICPA audit guide titled ‘’ Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality or Privacy’’. The report includes tests of the information systems controls governing the accounting records and other procedures necessary to enable the auditor to express an unqualified opinion that the information technology systems and controls described by management allow financial statements to be fairly presented, in all material respects, and in conformity with the standards established by the following principles:.
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA.
SOC 2 TYPE 1 Report: This is report on the accuracy and completeness of management’s description of the IT system or service as well as the suitability of the design of controls as of a specific date.
SOC 2 TYPE 2 Report: The SOC 2 Type 2 includes Type I criteria and reports on the operating effectiveness of the controls over a period of months. In addition it addresses the Privacy principle and provides information and the CPA’s opinion about the service organization’s compliance with the commitments in its statement of privacy. The report is for internal use only. No official SOC 2 certificate will be issued for publication. A Type 2 is issued to user auditors upon request as evidence of operating effectiveness of controls.
SOC 3 Report: The SOC 3 report provides the same level of assurance about controls over security, availability, processing integrity, confidentiality, and/or privacy as a SOC 2 report. In addition the SOC 3 Audit determine if the controls also meet the Trust Services Criteria for specific principle(s) being examined as defined by AICPA WebTrust/SysTrust audit services in 2010. An approved SOC 3 audit report can act as the support document for a certification that can be releases to the general public. The report does not contain a detailed description of the testing performed by the auditor.
SOC 3 PRIVACY NOTICE: An SOC 3 report is an independent auditor’s review of a service organization’s application of criteria related to one or more of the Trust Services Principles, which are:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA.
The SOC 3 report provides the same level of assurance about controls over security, availability, processing integrity, confidentiality, as a SOC 2 report. It also provides assurance that the privacy requirements are met. The SOC 3 is a certification for general release to the public and does not contain the detailed description of the testing performed by the auditor.
SOC 3 Certificate of Compliance: The auditor can authorize a Service Organization manager to declare that the center has received the SOC 3: SysTrust seal certifying compliance once the service auditor is assured that the Service Organization’s information system and controls have met all of the trust services criteria according to the approved standards.
SSAE 16: This is the Statement of Standards #16 issued April 16, 2010 that establishes guidelines for CPA/CIPT Attestation Engagement with service and subservice organizations. SSAE 16 is virtually identical to its international complement, the International Accounting Standards Board (ISAB)’s International Standard on Assurance Engagements (ISAE) 3402. Both standards become effective on reports issued on and after June 15, 2011.
Subservice Organization: This is a service organization employed by another service organization to processes, record and report financial data for its user entities. The services provided to user entities are likely to be relevant to those user entities’ internal controls over financial reporting as define in paragraph 7 of SSAE No 16. A service organization complying with SSAE No. 16 is not required to consider a subservice organization that does not comply with the requirements for a subservice organization as defined by SSAE No. 16. In the management’s description of the service organization’s system it may elect to use either the carve-out method or the inclusive method in its discussion of the services provided by a subservice organization.
SysTrust: SysTrust is a new certification offered to service organizations who successfully complete a SOC 3 audit. The certification allows a service organization to display the SysTrust seal which demonstrates to their clients that their information technology system has met or exceeded strict requirements to protect their personal, nonpublic data.
User Entities: Companies contracting with Service Organizations for the processing, recording and reporting the electronic data of their customers.