If you're navigating the complexities of the AICPA's SOC2, this article is a must-read.

This article, authored by an experienced professional familiar with both sides of the SOC2 audit process, is an essential read. It offers a detailed list of key terms and definitions crucial for anyone working with SOC2.

Keep an eye out for this insightful piece – it's an essential addition to your professional toolkit.

AICPA - The American Institute of Certified Public Accountants (AICPA) is a professional organization for Certified Public Accountants (CPAs) in the United States. Founded in 1887, the AICPA is instrumental in setting ethical standards for the accounting profession and U.S. auditing standards for private companies, nonprofit organizations, and federal, state, and local governments.

CC - Common Criteria refers to a set of standards or benchmarks used to measure or evaluate the subject matter of an attestation engagement. These criteria are used as a basis for a CPA (Certified Public Accountant) to form an opinion or conclusion about the subject matter.

COSO - Stands for the Committee of Sponsoring Organizations of the Treadway Commission, is an initiative that provides a comprehensive framework for organizations to design and evaluate the effectiveness of their internal control systems. Established in the United States, COSO is widely recognized as a leading framework for designing, implementing, and assessing internal control and enhancing organizational performance. In the context of a SOC 2 report, the COSO framework is used to structure and evaluate the effectiveness of the controls related to the Trust Services Criteria (TSC) – security, availability, processing integrity, confidentiality, and privacy.

CUEC - Complementary User Entity Controls. This term is often used in the context of SOC 1 and SOC 2 reports, which are types of Service Organization Control (SOC) reports developed by the American Institute of Certified Public Accountants (AICPA). In these reports, CUECs refer to controls that are assumed to be in place at the user entity (the organization using the services of the service provider being audited). They are considered "complementary" because they complement the controls implemented by the service organization.

DC-200- Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report, provides guidelines for how a service organization should describe its systems in a SOC 2 report. The latest 2018 version of DC-200 includes implementation guidance, which helps in determining the nature and level of disclosures essential to each criterion within the description. This guidance covers various aspects, such as the availability and suitability of the description criteria, preparing and reviewing the system description, materiality considerations, and presenting the description criteria and implementation guidance in a structured format. It is essential alongside the 2017 Trust Services Criteria described in TSP section 100 for a SOC 2 report.

SOC 2 - Service Organization Control 2 - is an auditing procedure that evaluates the effectiveness of a service organization’s controls related to specific trust principles. Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is specifically designed for service providers.  SOC 2 reports are unique to each organization and based upon the Trust Services Criteria (TSC) developed by the AICPA.

SSAE – Statement on Standards for Attestation Engagements. Issued by the Auditing Standards Board. It is a set of guidelines issued by the (AICPA) for conducting attestation engagements. The latest is SSAE21, effective as of June 15, 2022.

TSC- The Trust Services Criteria (TSC), developed by the American Institute of Certified Public Accountants (AICPA), are a set of principles and related criteria that are used in SOC 2 (Service Organization Control 2) and SOC 3 examinations. These criteria provide a structured framework for managing and evaluating the design and effectiveness of a service organization’s controls regarding security, availability, processing integrity, confidentiality, and privacy of a system.