SOC 2 Audit Terminology

Crash course in SOC 2 Audit Terminology.

Zight | June 11, 2021 | 7 min read time

Article Last Updated: July 23, 2023

SOC 2 Audit Terminology

Table of Contents

How much do you know about SOC 2 compliance? Keeping user data private and secure is absolutely essential for enterprise software providers in this day and age, so we encourage you to learn all you can!

As you look into SOC 2 compliance, new terms and phrases will start popping up. We put together a glossary of relevant terms to help you get up to speed.


Attestation is the auditing of a system to ensure it meets SOC 2 standards. The main goal of attestation is to conduct the audit and obtain an attestation report.

Attestation Report

This report is a non-disclosure agreement (NDA) signed by the SOC 2 auditor in accordance with a standard established by the International Organization for Standardization (ISO).

AuditReq Methodology

AuditsRequirement Methodology, commonly referred as the “AuditReq” method, is a set of templates that help collect audit evidence from various sources, such as IT documents, projects, team members and more.


A baseline is the point-in-time configuration that establishes a starting point for measuring against the SOC 2 report. It includes software and hardware inventory information that identifies installed servers, operating systems, applications, databases and storage systems.

Bedrock Controls

Also known as “Business Risk Management” (BRM), bedrock controls consist mostly of historical activities and are the foundation for effective IT security governance. Historical practices and processes to mitigate business risk would be considered a part of bedrock controls.

Compliance Report

After making a site visit, an SOC auditor will issue a standard compliance report. This report will state whether measurements taken to check compliance have passed, as well as any other relevant observations found during the site visit. It is advisable that a company or organization uses this report to plan for any improvements on its security policies and operations.

Generally, the compliance report is followed by the publication of an attestation report three months after the site visit.

Comprehensive Assessment

During a comprehensive assessment, the SOC 2 auditor will ensure a covered entity’s business processes are appropriately designed with security controls and that it operates in accordance with industry standards.


Conformance describes the extent to which a product or service fulfills its specified requirements.


The term “consensus-based” refers to the technical competence of the SOC 2 auditors.

According to a consensus-based assessment plan, a significant portion of listed controls must be inspected by technical experts qualified in their subject matter. When an examination is conducted by consensus-based SOC 2 auditors, the scope is limited.

Controlled Disclosure

A controlled disclosure means that only entities permitted by law or contract should receive information regarding a breach of security.

Companies should have a policy on this subject in order to reduce their liability if a breach occurs. Among other laws, it may also provide for criminal sanctions in case it cannot show that reasonable steps were taken to prevent or limit breaches, or if an unauthorized person was involved in disclosing information about those breaches.

Controlled disclosures are generally intended to be temporary until corrective action can be made. General disclosures, on the other hand, can last indefinitely.

Controls Placed in Operation Report

This document provides proof that critical controls and privacy controls have been verified. It proves compliance with the privacy and security requirements of SOC 2. The Controls Placed in Operation Report is used to confirm that the controls in an organization’s SOC 2 system are implemented and operating as intended.


Demand, also known as the customer, is included in the maintenance plan as an external client. The customer’s demand may be training, additional documentation or proof/certification.

Excluded Party

Excluded parties often refer to subcontractors, processors, data centers and data storage providers. These parties are included in the scope of a SOC 2 report and involved in the processing of personal information by the Service Organization. It excludes parties that are contractually required to have an agreement with the Service Organization for the provision of goods and/or services.


Any changes made to the baseline are known as an extension. After an extension has been added, it is referred to as a “modified baseline.” SOC 2 requires a modified baseline every three years, or if control or reasonably expected control impact levels have had major revisions.

Maintaining records of control deviation is not required when there are no significant changes to products not part of a system. These records may be kept for ethical purposes, but they are not required for compliance with the SOC 2 standard.

See: Modified Baseline.

Modified Baseline

See: Extension.

Personal Data

Personal data refers to any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by information such as a name, an identification number, location data or online identifier or one who is at least 18 years old on the collecting date.

Personal Information

This refers to any information relevant to an identified or identifiable natural person such as social security number, name, address and payment card number. The entity that determines the purposes and means of processing personal information is known as a “controller.”

Personnel Data

Personnel data includes any general information or personal attribute about an individual, such as name, contact details, national insurance number and employment status.


A processor is the entity which processes personal information on behalf of a controller. If you work with a third-party service provider that collects personal user information on your behalf (such as user profile data) and stores it in some form or another, they are considered your processor.


Pseudonymization involves replacing real names with alternative identifiers, known as pseudonyms. Pseudonyms do not directly or indirectly reveal information about an individual’s identity, thereby rendering them non-personal information where necessary under applicable law. Pseudonymization can significantly reduce the risk of processing sensitive data.

Quality Control

Quality control is the set of procedures that ensure the quality and consistency of data. The two major parts of quality control are testing and validation. They must be performed in the process of data collection.

Quality Report

A quality report is a clearly written description meant for managers and auditors that explains the goals and objectives of a company’s quality assurance system. It includes reports from independent, external auditors during regular visits that analyze whether documented procedures have been followed appropriately.

Upon completion of a review, auditors write a summary report that lists any areas requiring immediate attention from top management in order to properly adhere to the standards in question.

Risk Assessment

Risk assessment involves identifying all risks and risk factors related to privacy breaches. It includes legal compliance, existing legislation, internal policies, business processes, outsourcing agreements with third-party providers, technologies employed by the organization, internal systems, physical environment and more.

Security Architecture

Security architecture, also known as security infrastructure, defines the operating environment of the information system. It includes security policies, hardware systems and software programs that have been developed by an organization.

Sensitive Personal Data

Sensitive personal data involves information that is considered private by a society’s general context. It includes details such as racial or ethical origin, political interests, religion and more.

Service Auditor

A SOC 2 service auditor evaluates a service organization’s security controls to determine whether they protect the confidentiality, integrity and availability of information assets.

After an intensive period of research and testing, the auditor issues either a favorable or an adverse opinion about the control’s effectiveness, thus providing a professional assessment of a service organization’s security.

Service Organization

The service organization is an entity engaged in processing personal information on behalf of another entity called the “controller.”


These are the stipulations defining the functional and non-functional requirements that must be satisfied by a set of software components.


Testing is the qualitative element of quality control. It checks the collected data for accuracy, completeness and compatibility. It is performed through different methods taking into account that user requests are filled completely. The best practice is to have automated tests that verify that all entered information is what you expected.

Tests of Operating Effectiveness Report

A test of operating effectiveness (TOE) report assesses the impact, benefits and learning gained during a training program. It is a vital part of developing and executing consistent training standards for your staff.

The TOE report serves as the report card to the program. It sets a performance standard and communicates expectations to all involved parties. Use it to understand the efficacy of your training and measure any changes in job behavior.

User Auditor

User auditors assist SOC 2 clients in preparing for an SOC 2 Annual WebTrust Audit. This auditor will review the available evidence supporting compliance with the applicable service controls and perform non-automated testing of key controls.

User Organization

This is a company or organization that requests an audit and/or maintains and uses U.S. Office of Personnel Management (OPM) attestations. User organizations utilize previously performed attestation work. Their primary focus is to demonstrate compliance with their own related regulations and standards to the entities that depend on them for the services or products provided.


Validation is the second part of quality control. It evaluates if the data meets certain integrity requirements, including meeting the needs of users. It should be a formal process with documented procedures, goals, measurements methods and feedback mechanisms.

Final Thoughts

There’s a lot of technical terms when it comes to SOC 2 compliance, but it’s a vital topic for enterprise software providers to understand. We encourage you to take some time to train yourself and your team!

As always, we’re here to help. We know how important privacy, security and peace-of-mind is to our users, because it’s just as important to us. Zight (formerly CloudApp) is SOC 2 Type II compliant for enterprise customers as part of our dedication to keep customer information private and secure.

Are you an enterprise looking for a company-wide screenshot and screen recording solution? Contact us about our SOC Type II compliant screen recorder software!

Create & share screenshots, screen recordings, and GIFs with Zight