Reading note. This is not a flat dictionary. It is a glossary of the CIAO Standard’s base ontological concepts โ the working terms the CIAO Standard maps, harmonises, and references. Each entry carries: a CIAO working definition with reference attribution, a See also seed of relationships to other concepts, a CIAO note explaining how the term participates in the CIAO architecture, and a Scope marker identifying the term’s role. The relationship layer between concepts is forthcoming; this page is the foundation it builds on.
Source-artefact concepts
The thirteen concepts in this section name the kinds of authoritative documents the CIAO Standard maps clauses against. They form the input population of the harmonisation method โ what enters the Source Standards Register, what does not, and why.
Standard
A document, established by consensus and approved by a recognised body, that provides โ for common and repeated use โ rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context (cf. ISO & IEC, 2004, clause 3.2). A Standard may be voluntary or mandatory in adoption depending on the regime governing it; its authority derives from the recognition of the body that approved it and the consensus process that produced it.
See also: Code ยท Framework ยท Conformance
CIAO note. Standard is the spine concept of the CIAO architecture. The Source Standards Register lists the formal Standards CIAO recognises and maps clause-by-clause against. CIAO does not host or reproduce Standard text โ members consult their own authorised copies, and CIAO publishes the architectural layer above (clause-reference-only mappings against members’ portfolios).
Scope marker: Register-eligible (source-artefact)
Code
A document that prescribes recommended practice or procedure for an activity, profession or sector โ typically issued by a recognised industry body, regulatory authority or professional institute, and applied through a disclosure regime such as apply-and-explain, comply-or-explain, or similar accountability mechanism (Institute of Directors in South Africa [IoDSA], 2025). A Code differs from a Standard in two key respects: its authority is institutional or professional rather than consensus-based standardisation, and its application is typically disclosure-driven rather than conformance-driven.
See also: Standard ยท Principle ยท Disclosure regime
CIAO note. Codes appear in the Source Standards Register alongside Standards as Register-eligible source artefacts (e.g., King V Code on Corporate Governance for South Africa). When CIAO maps a Code, the mapping reflects the principles and recommended practices the Code prescribes; the applies-and-explains disclosure mechanism remains the member’s responsibility, not the CIAO Standard’s. CIAO maps the substance of a Code’s recommendations, not the disclosure mechanic.
Scope marker: Register-eligible (source-artefact)
Framework
A structured arrangement of components, concepts, principles or processes intended to organise practice within a domain. A Framework may aggregate or extend other artefacts (Standards, Codes, Principles), provide a conceptual organisation for a body of practice, or supply a common reference architecture for a class of activity. Frameworks differ from Standards in being typically descriptive or organisational rather than prescriptive of specific requirements; they differ from Methodologies in describing structure rather than procedure.
See also: Standard ยท Methodology ยท Principle ยท Reference architecture
CIAO note. The boundary between Framework and Standard is genuinely fuzzy in industry usage โ NIST CSF, COSO ERM, COBIT, and similar instruments are variously called “framework” and “standard” by different users. CIAO accepts both into the Register where their content is normative enough to be mapped clause-equivalent (NIST CSF, COBIT, COSO are Register entries; an agile development framework such as SCRUM is not). The decisive criterion is whether the artefact carries identifiable normative units that can be mapped โ not the label on the cover. The CIAO Aggregate Frameworks (OPF, ECF, IDF) are CIAO-internal Frameworks that aggregate content the CIAO Standard produces; they are distinct from external source-artefact Frameworks in the Register.
Scope marker: Register-eligible (where normative) ยท CIAO-internal (where Aggregate)
Methodology
A structured approach to performing a class of activity, typically organised into phases, techniques and acceptance criteria. A Methodology may be normative (prescribing how an activity must be performed to achieve a stated outcome) or descriptive (capturing how an activity is typically performed in practice). A Methodology differs from a Standard in describing how rather than what; from a Framework in being procedural rather than structural; from a Procedure in operating at the level of an approach rather than a specific operational sequence.
See also: Framework ยท Procedure ยท Audit ยท Attestation ยท Bridge document
CIAO note. Methodology is the term that frequently appears in audit-and-assurance contexts: SOC 2 is the AICPA’s audit methodology applied against COSO; ISAE 3402 is the IAASB’s assurance methodology; SOC 1 (an ISAE 3402 Type II engagement) is an audit methodology commonly used to provide assurance over IT general controls aligned with COBIT. These are not Register-eligible Standards in their own right โ they are bridge documents: audit methodologies that map against Register entries and produce operationalised control statements (policy-type and technical-control-type) that CIAO can extract as seed material for the Organisational Policy Framework and Enterprise Control Framework synthesis. The CIAO Mapping & Derivation Methodology itself is a CIAO-internal Methodology that operates on Register entries to produce harmonised CIAO content.
Scope marker: Bridge (audit-and-assurance Methodologies) ยท CIAO-internal (CIAO Mapping & Derivation Methodology)
Guideline
A non-binding document offering recommendations, advice or implementation guidance, typically accompanying or supporting a Standard, Code, Law or Policy (cf. ISO & IEC, 2004). A Guideline differs from a Standard in carrying no normative weight on its own; its content informs but does not prescribe. ISO defines a related concept โ Code of practice โ as a document recommending practices or procedures for the design, manufacture, installation, maintenance or utilisation of equipment, structures or products (ISO & IEC, 2004); the CIAO frame treats Guideline as the broader umbrella covering all such non-binding companion documents.
See also: Standard ยท Code ยท Best Practice ยท Principle
CIAO note. Guidelines are not added to the Register because they do not carry normative authority that can be mapped as compliance claims. However, where a Standard explicitly references its companion Guideline (e.g., ISO/IEC 27002 supporting ISO/IEC 27001), the Guideline’s content may inform CIAO’s clause-level mappings as informs relationships. A Guideline is interpretive scaffolding; a Standard is the normative source.
Scope marker: Reference (informs only) (non-Register)
Best Practice
An industry-recognised approach to performing a class of activity, evolved through practitioner consensus and typically descriptive rather than normative. A Best Practice differs from a Guideline in being community-derived rather than authority-issued; from a Standard in carrying no formal recognition by a standardising body. Best Practices often crystallise into Guidelines and eventually into Standards through the maturation of professional practice.
See also: Guideline ยท Standard ยท Practitioner contribution
CIAO note. Best Practices enter the CIAO architecture through the Editorial Submission Framework โ practitioners contribute observations from their working practice, which the editorial process triages against the Register-bounded scope. A Best Practice that maps cleanly to a Register entry’s clause becomes a candidate for inclusion in the relevant Sub-Policy or Process; a Best Practice that does not map remains a Practitioner observation in the editorial trail. CIAO does not host Best Practices as standalone Register entries; it surfaces them where they support Register-mapped clauses.
Scope marker: Editorial-source (non-Register)
Principle
A foundational normative statement, typically high-level, that informs but does not fully specify implementation. A Principle expresses an enduring value or commitment from which more specific requirements may be derived. Principles differ from Rules and Requirements in their generality, and from Best Practices in their normative weight: a Principle is a should, not a typical.
See also: Code ยท Standard ยท Recommended practice ยท Disclosure regime
CIAO note. Principles often constitute the upper layer of Codes (King V is structured as 17 Principles, each supported by Recommended Practices). They are also the upper layer of the CIAO Standard’s own Constitution and Open Principles. Principles are not directly mappable as compliance claims because they describe orientation rather than testable requirements; CIAO maps the Recommended Practices that operationalise a Principle, and the Principle itself appears as the parent context. In the CIAO ontology, a Principle is a node that informs one-or-more clause-level Standards or Code-recommendations.
Scope marker: Register-context (present in Codes; not independently Register-eligible)
Law
A binding legal instrument enacted by a competent legislative authority within a defined jurisdiction, mandatory in adoption for entities subject to that jurisdiction. A Law differs from a Standard in being binding by force of statute rather than voluntary or conformance-driven; from a Regulation in being typically the primary instrument from which secondary instruments derive. Examples in the CIAO Source Standards Register span multiple jurisdictions and legal traditions: South African Companies Act, Protection of Personal Information Act, and Cybercrimes Act; United States Health Insurance Portability and Accountability Act; Brazilian Lei Geral de Proteรงรฃo de Dados (LGPD); Indian Digital Personal Data Protection Act.
See also: Regulation ยท Statutory Instrument ยท Directive ยท Convention ยท Treaty ยท Standard
CIAO note. Laws are added to the Register where they produce identifiable clause-level requirements that members must implement and that CIAO can map. The mapping is jurisdictional โ a Law applies to members operating within its jurisdiction; the Dynamic Selection Engine filters Law-derived clauses on the member’s declared jurisdictional portfolio. CIAO maps the operative provisions of a Law (the clauses that impose obligations); the Law’s preamble, definitions, and procedural provisions are reference context only.
Scope marker: Register-eligible (source-artefact, jurisdictional)
Regulation
A binding legal instrument issued under authority of a Law, providing operational specificity to the framework provisions of the parent legislation. In most legal traditions worldwide โ including South African, broader African, Latin American, Asian, and Commonwealth practice โ Regulation refers to subordinate legislation made by a delegated authority under powers granted by an Act of Parliament; Statutory Instrument is a related term for the same kind of subordinate instrument and is the preferred term in some jurisdictions. In the specific context of European Union law, Regulation takes on a distinct technical meaning: a binding legal instrument issued by the EU that applies directly and uniformly across all Member States without requiring national implementing legislation (Treaty on the Functioning of the European Union, Article 288). Examples in the EU sense include the General Data Protection Regulation (Regulation (EU) 2016/679) and the Digital Operational Resilience Act (Regulation (EU) 2022/2554).
See also: Law ยท Directive ยท Statutory Instrument
CIAO note. The CIAO Source Standards Register accommodates both senses of Regulation. Subordinate-legislation Regulations are mapped as the operative clause source for the parent Law in the relevant jurisdiction (e.g., Regulations issued under the Protection of Personal Information Act in South Africa). EU Regulations carry the additional property that they apply directly without national transposition, simplifying the jurisdictional layer in the Dynamic Selection Engine โ declaring any EU Member State in a member’s portfolio inherits the full set of applicable EU Regulations as a uniform body. The Register flags each Regulation entry with its applicable jurisdiction and the parent Law (where one exists) so members can see provenance.
Scope marker: Register-eligible (source-artefact, jurisdictional)
Statutory Instrument
A form of subordinate legislation made by a person or body under authority delegated by a primary Law. Found in most legal traditions worldwide, Statutory Instruments operationalise the framework provisions of an Act and may take various forms (Regulations, Rules, Orders, Notices, Schedules, Proclamations) depending on jurisdiction. South African examples include Regulations issued under the Protection of Personal Information Act and the Cybercrimes Act; Indian examples include Rules issued under the Digital Personal Data Protection Act; United Kingdom examples include Statutory Instruments issued under primary Acts. The exact terminology varies โ some jurisdictions use Regulations, Rules, Orders, or Subsidiary Legislation for the same functional category โ but the legal nature is consistent: binding subordinate instruments deriving authority from a parent Act.
See also: Law ยท Regulation ยท Directive
CIAO note. Statutory Instruments share the binding force of their parent Law and are typically the source of the operational clause-level requirements members must implement. CIAO Register entries for jurisdictional Laws encompass the parent Act and its operative Statutory Instruments where relevant โ the Register treats the legal-instrument family as a unit for mapping purposes, while preserving traceability to specific Statutory Instruments in the clause references. This treatment is intentionally jurisdiction-neutral and recognises the shared functional role of subordinate legislation across legal traditions.
Scope marker: Register-eligible (source-artefact, jurisdictional โ subordinate legislation)
Directive
A binding instruction issued by a competent authority requiring a defined recipient to achieve a specified outcome. The term carries different meanings depending on context. In organisational governance, a Directive is an internal binding mandate issued by senior management or a governing body, distinct from policy in being typically issued for a specific situation or recipient rather than as a general standing rule. In European Union law, Directive takes on a specific technical meaning: a binding legal instrument issued by the EU that requires Member States to achieve a specified result while leaving the choice of form and methods of implementation to the national authorities (Treaty on the Functioning of the European Union, Article 288). EU Directives must be transposed into national law before they become operational on entities; examples include the EU Cybercrime Directive (Directive 2013/40/EU) and the EU NIS2 Directive. Other jurisdictions and international bodies issue analogous Directives with their own legal characteristics โ for example, African Union Directives or sector-specific regulatory directives issued by national regulators.
See also: Regulation ยท Law ยท Statutory Instrument ยท Treaty
CIAO note. EU Directives produce variable clause-level requirements across Member States because each State transposes the Directive into its own national legislation with permitted variations. CIAO Register treatment for an EU Directive must therefore reference both the Directive itself and the applicable national transposition for each Member State a member operates in. For Directives issued by other authorities (national regulators, regional bodies, the African Union and similar), the Register treatment follows the same principle: the Directive establishes the obligation, and the national or sectoral implementing instruments establish the operative clauses CIAO maps.
Scope marker: Register-eligible (source-artefact, jurisdictional)
Convention
A multilateral agreement between states, binding on signatories within the scope and reservations of the agreement. A Convention typically establishes shared rules for an area of cross-border activity (data protection, cybercrime cooperation, environmental protection, human rights) and may give rise to subsidiary instruments and national implementing legislation. The Vienna Convention on the Law of Treaties (1969) provides the canonical international-law definitions for treaties, conventions, and related instruments. Examples relevant to the African digital governance space include the Malabo Convention on Cyber Security and Personal Data Protection (African Union, 2014) and the Budapest Convention on Cybercrime (Council of Europe, 2001, with global signatories).
See also: Treaty ยท Law ยท Vienna Convention on the Law of Treaties
CIAO note. Conventions become operationally relevant to CIAO members through the national legislation that implements them in the member’s jurisdiction. The Convention itself is rarely the unit a member directly implements; the implementing Law or Statutory Instrument is. CIAO Register entries for Conventions should therefore note the Convention as context and link to the specific national implementing instruments members map against.
Scope marker: Register-context (international-law context for jurisdictional mapping)
Treaty
A formal international agreement between states, governed by international law, establishing rights and obligations between the parties. The Vienna Convention on the Law of Treaties (1969) defines a Treaty as an international agreement concluded between States in written form and governed by international law, whatever its particular designation. Treaty, Convention, Protocol, Charter, Covenant, Pact โ these are different formal designations for instruments that share the same legal nature under international law; the choice of designation reflects diplomatic and historical convention rather than legal effect.
See also: Convention ยท Law ยท Vienna Convention on the Law of Treaties ยท United Nations Charter
CIAO note. Treaties are upstream of national Laws โ they establish the international obligations from which Convention-derived national legislation flows. For CIAO Register purposes, a Treaty itself is rarely the unit of mapping; the relevant unit is the national Law or Statutory Instrument that implements the Treaty’s obligations within a given jurisdiction. CIAO may surface Treaties as Register-context entries where they provide the legal-historical basis for a body of mapped national legislation.
Scope marker: Register-context (international-law context)
Audit-and-assurance concepts
The twelve concepts in this section name the kinds of work performed against source artefacts, the actors who perform that work, and the evidence products it produces. Where source-artefact concepts describe what enters the Register, audit-and-assurance concepts describe what is done with source artefacts in operational practice โ and in particular, how bridge documents (audit reports, attestations, certifications) relate to the source artefacts they are tested against. This family is foundational to the CIAO bridge-vs-Register architectural distinction.
Audit
A systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled (International Organization for Standardization, 2018, clause 3.1). An audit may be internal (first-party, performed by the organisation on itself), external second-party (performed on the organisation by a customer or representative), or external third-party (performed by an independent body such as a regulator, certification body, or independent service auditor). The criteria against which an audit is performed are drawn from one or more source artefacts โ Standards, Codes, Laws, Trust Services Criteria, or contractual requirements โ that establish the requirements the auditee is being measured against.
See also: Assurance ยท Attestation ยท Audit criteria ยท Independent Service Auditor ยท Statutory Audit
CIAO note. Audit is the foundational activity from which most audit-and-assurance bridge documents arise. CIAO does not perform audits and does not certify members; it positions itself architecturally above the audit activity, mapping the source-artefact criteria that audits test against and harmonising the operationalised control statements that audit reports describe. When CIAO consumes an audit report (such as a SOC 2 Type II or ISAE 3402 Type II report) as a bridge document, it extracts the documented controls and their operationalisation as seed material for the OPF and ECF Aggregate Frameworks; it does not consume the audit’s findings, opinions, or named entities.
Scope marker: Activity (bridge-process)
Assurance
Confidence in a stated outcome, typically expressed by a competent and independent party to a stakeholder, derived from a structured engagement that obtains evidence and evaluates it against agreed criteria (cf. International Auditing and Assurance Standards Board [IAASB], International Framework for Assurance Engagements; Institute of Directors in South Africa [IoDSA], 2025). Assurance may be reasonable (high but not absolute confidence, expressed in a positive opinion such as presents fairly) or limited (lower confidence, expressed in a negative-form conclusion such as nothing has come to our attention). Assurance is broader than audit โ it includes review engagements, attestation engagements, and other forms of evidence-based opinion โ but every assurance engagement has the same structural anatomy: a responsible party, a subject matter, applicable criteria, and an assurance practitioner.
See also: Audit ยท Attestation ยท Combined assurance model ยท Reasonable assurance ยท Limited assurance
CIAO note. Assurance in the CIAO frame is a property of bridge documents rather than of the CIAO Standard itself. The CIAO Standard is not an assurance instrument and does not give assurance opinions; it provides architectural clarity about what source artefacts say, how they map together, and how members may operationalise them. The assurance opinions a member’s organisation needs come from its own engagements with independent assurance practitioners. CIAO supports members in preparing for those engagements by surfacing the source-artefact requirements and operationalised control statements relevant to their portfolio.
Scope marker: Construct (bridge-construct)
Attestation
The issue of a statement, based on a decision following review, that fulfilment of specified requirements has been demonstrated (International Organization for Standardization & International Electrotechnical Commission, 2020, clause 7.3). An attestation is the formal evidence product that closes a conformity assessment activity; it conveys assurance about the conformity of an object โ a product, process, system, person, or body โ to consumers, regulators, buyers, or other interested parties. Three categories of attestation are recognised in ISO/IEC 17000:2020: declaration (first-party attestation, issued by the supplier of the object); certification (third-party attestation related to the object, with the exception of accreditation); and accreditation (third-party attestation related to a conformity assessment body).
See also: Audit ยท Certification ยท Accreditation ยท Declaration ยท Conformance
CIAO note. Attestation is the upstream concept that gives CIAO bridge documents their evidentiary weight. SOC 2 Type II and ISAE 3402 Type II reports are attestation engagements: the assurance practitioner attests that the service organisation’s controls were both suitably designed and operating effectively over the report period. CIAO’s bridge-document discipline (CIAO ยง24.3) treats these attestations as evidence that the controls described are real and operating โ which makes them legitimate seed material for the operationalisation tier of the OPF/ECF synthesis.
Scope marker: Output (bridge-product)
Certification
Third-party attestation related to an object of conformity assessment, with the exception of accreditation (International Organization for Standardization & International Electrotechnical Commission, 2020, clause 7.6). Certification is issued by a certification body โ an organisation that is independent of both the supplier and the user of the object โ confirming that the object meets specified requirements. Certifications carry a defined scope (which version of which Standard, against which boundary of the organisation), a defined period of validity, and typically require ongoing surveillance to remain valid. Common examples include ISO/IEC 27001 certification, ISO 9001 certification, and product certifications under various conformity assessment regimes.
See also: Attestation ยท Accreditation ยท Certification body ยท Surveillance ยท Conformance
CIAO note. Certification is one of the strongest attestation forms โ third-party, independent, ongoing โ and members of the CIAO Standard often hold one or more certifications relevant to their portfolio. CIAO does not certify members and is not a certification body. It surfaces the requirements certification bodies test against (the certified Standard, mapped clause-by-clause against the member’s portfolio) and helps members understand how a certification scope relates to the broader compliance obligations the Source Standards Register covers.
Scope marker: Output (bridge-product, third-party)
Accreditation
Third-party attestation related to a conformity assessment body, conveying formal demonstration of its competence, impartiality and consistent operation in performing specific conformity assessment activities (International Organization for Standardization & International Electrotechnical Commission, 2020, clause 7.7). Accreditation is meta-attestation: it does not say that an object meets requirements, it says that a conformity assessment body is competent to determine whether objects meet requirements. Accreditation bodies are themselves typically members of mutual-recognition arrangements (such as the International Accreditation Forum), which gives accreditations cross-border standing.
See also: Attestation ยท Certification ยท Conformity assessment body ยท International Accreditation Forum
CIAO note. Accreditation sits at the apex of the attestation pyramid. When a member’s organisation holds a certification, the value of that certification depends in part on whether the certifying body is itself accredited โ an unaccredited certification carries less weight in the marketplace and with regulators. CIAO does not perform accreditation. Where CIAO surfaces certification-derived evidence in member-facing content, the underlying accreditation regime is referenced as quality-of-attestation context, not as a CIAO claim.
Scope marker: Output (meta-attestation)
Conformance
The fulfilment of specified requirements (cf. International Organization for Standardization & International Electrotechnical Commission, 2020, clause 4.1, on conformity). Conformance is a testable state โ an object either fulfils a stated requirement or it does not, and conformity assessment activities (testing, inspection, audit) determine which is the case. The terms conformance and conformity are used interchangeably in much industry literature, with conformance more common in North American usage and conformity more common in international standardisation usage; ISO/IEC 17000:2020 standardises on conformity as the formal term.
See also: Compliance ยท Audit ยท Attestation ยท Conformity assessment
CIAO note. Conformance is the testable property a Standard’s clauses establish. Every Register-eligible source artefact that CIAO maps produces clauses that, in principle, are testable โ an organisation either does what the clause requires or it does not. CIAO’s mapping fabric makes this testability accessible: by surfacing the clauses applicable to a member’s portfolio in a single harmonised view, CIAO supports members in determining their own conformance status across multiple source artefacts simultaneously, even though CIAO itself does not assess that status.
Scope marker: Construct (testable state)
Compliance
The state of meeting the requirements of an applicable Law, Regulation, Statutory Instrument, Code, contractual obligation, or formally adopted policy (cf. Institute of Directors in South Africa [IoDSA], 2025). Compliance overlaps significantly with conformance in everyday usage but typically carries a stronger connotation of legal or regulatory obligation: an organisation is compliant with the law, conformant with a voluntary Standard. In governance contexts, compliance is also used to describe an organisation’s overall posture of meeting its obligations โ ethical, legal, regulatory, contractual โ taken as an integrated whole.
See also: Conformance ยท Law ยท Regulation ยท Audit ยท Combined assurance model
CIAO note. Compliance is the operational outcome members typically seek when they engage with a source artefact CIAO has mapped. The CIAO Standard does not declare members compliant โ compliance with a Law is a determination made by the organisation’s own counsel, regulators, and competent authorities; compliance with a Standard is a determination made through audit and certification โ but CIAO supports the underlying work by making the requirements visible, harmonised, and traceable across portfolios. Members reach compliance through their own work; CIAO makes that work efficient.
Scope marker: Construct (regulatory/legal state)
Trust Services Criteria
A set of control criteria established by the American Institute of Certified Public Accountants (AICPA) for use in evaluating and reporting on the controls of a service organisation relevant to the security, availability, processing integrity, confidentiality, and privacy of information and systems (American Institute of Certified Public Accountants [AICPA], 2017). The Trust Services Criteria (TSC) are organised into five categories, each with its own control criteria; Common Criteria (CC1 through CC9) apply across all five categories. The TSC are the criteria against which SOC 2 examinations are conducted; SOC 2 reports describe the service organisation’s controls and the independent service auditor’s tests of those controls, mapped to the applicable TSC.
See also: Audit ยท Attestation ยท Independent Service Auditor ยท SOC 2 ยท COSO
CIAO note. Trust Services Criteria are the criteria layer that makes SOC 2 a bridge document rather than a Register-eligible Standard. The TSC do not stand alone as a body of normative requirements โ they reference the COSO Internal Control Integrated Framework as their governance backbone, and they are operationalised by service organisations through their own controls. CIAO treats the TSC as criteria-construct: the framework that gives SOC 2 reports their structure and the mapping target for extracting operationalised controls into the OPF/ECF Aggregate Frameworks.
Scope marker: Construct (criteria framework)
Type 1 and Type 2 Reports
Two report variants used in service organisation control engagements (SOC 1, SOC 2, ISAE 3402, ISAE 3000). A Type 1 report describes the service organisation’s controls at a point in time and includes the auditor’s opinion on whether those controls are suitably designed to achieve the stated control objectives. A Type 2 report covers a period (typically six or twelve months) and includes the auditor’s opinion on whether the controls were both suitably designed and operating effectively throughout that period; Type 2 reports include the auditor’s tests of control operation and the results of those tests. Type 2 reports therefore provide stronger assurance โ design effectiveness plus operating effectiveness โ but require operating-period evidence.
See also: Audit ยท Attestation ยท Independent Service Auditor ยท SOC 2 ยท ISAE 3402
CIAO note. The Type 1 / Type 2 distinction matters for CIAO’s bridge-document discipline. Type 2 reports describe controls that have been observed in actual operation, with documented evidence that they functioned over a defined period; this gives them stronger weight as seed material for operationalisation. CIAO’s bridge-document protocol (CIAO ยง24.3) preferentially extracts from Type 2 reports for this reason. Type 1 reports remain useful for design-pattern extraction but are weaker evidence of how a control actually operates in practice.
Scope marker: Output (audit report variant)
Independent Service Auditor
A licensed certified public accountant (or equivalent qualified professional under the relevant jurisdiction’s auditing framework) who performs an examination engagement on the controls of a service organisation under a recognised assurance standard such as SSAE 18 (United States), ISAE 3402 (international), or equivalents (cf. American Institute of Certified Public Accountants [AICPA], SSAE No. 18; International Auditing and Assurance Standards Board [IAASB], ISAE 3402). The Independent Service Auditor is independent of both the service organisation being examined and the user organisations that will rely on the report. The auditor’s responsibilities include planning the engagement, obtaining an understanding of the service organisation’s system, performing tests of controls, and issuing the auditor’s report (Type 1 or Type 2).
See also: Audit ยท Attestation ยท Certification ยท Type 1 and Type 2 Reports ยท Statutory Audit
CIAO note. The Independent Service Auditor is the actor who produces the bridge documents CIAO consumes โ SOC 2 reports, ISAE 3402 reports, ISAE 3000 reports. CIAO is not an Independent Service Auditor and does not perform examinations. When CIAO references a bridge document as input to OPF/ECF synthesis, the work of the Independent Service Auditor is what gives the bridge document its evidentiary status; CIAO’s discipline preserves that evidentiary chain by attributing extractions to the underlying assurance standard the auditor worked under, while excluding all confidential content (named entities, audit findings, control-failure descriptions) per CIAO ยง24.3.
Scope marker: Actor (third-party assurance practitioner)
Statutory Audit
An audit required by Law within a defined jurisdiction, typically mandated for entities of a specified type (companies above certain size thresholds, regulated financial institutions, public-interest entities) and performed under prescribed standards (cf. South African Companies Act 71 of 2008; Sarbanes-Oxley Act of 2002 [United States]; EU Statutory Audit Directive 2006/43/EC and amending Directive 2014/56/EU). A Statutory Audit differs from a voluntary audit in that the auditee has no choice in whether the audit is performed; the requirement, the scope, and often the auditing standards are established by Law. The statutory auditor’s report is typically directed to shareholders and other defined stakeholders rather than to the management of the auditee.
See also: Audit ยท Independent Service Auditor ยท Law ยท Compliance
CIAO note. Statutory Audit is the form of audit that produces an output most directly recognised as a compliance artefact. Members of the CIAO Standard whose organisations are subject to statutory audit obligations face requirements that flow from Law-class source artefacts; CIAO surfaces those requirements through the Source Standards Register’s jurisdictional mapping and the Dynamic Selection Engine’s portfolio filtering. The statutory audit itself remains the responsibility of the member’s organisation and its appointed auditor; CIAO is upstream of the audit, not part of it.
Scope marker: Activity (legal mandate)
Combined assurance model
A coordinated approach to assurance that integrates and aligns the assurance activities performed by management, internal assurance providers (such as internal audit, compliance, and risk functions), and external assurance providers (such as external audit, certification bodies, and regulators), to provide a holistic view of an organisation’s assurance position to the governing body and other stakeholders (Institute of Directors in South Africa [IoDSA], 2025). The Combined assurance model recognises that no single line of assurance provides complete coverage; meaningful assurance arises from coordinated work across the three lines (management’s own controls, organisational oversight functions, and independent external providers).
See also: Assurance ยท Audit ยท Independent Service Auditor ยท Compliance ยท King V Code
CIAO note. The Combined assurance model is one of the foundational governance constructs in King V Code on Corporate Governance for South Africa. It is the framing that makes CIAO architecturally legible to South African members: where King V asks for combined assurance, CIAO supports the construct by harmonising the source artefacts each line of assurance is responsible against โ internal audit’s testing universe, the compliance function’s regulatory portfolio, the external auditor’s statutory scope. CIAO does not replace any of these assurance lines; it supports the coordination by surfacing the underlying source-artefact requirements in a single harmonised view that all assurance providers can reference.
Scope marker: Construct (governance model)
References
American Institute of Certified Public Accountants. (2017). TSP Section 100 โ 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. AICPA. https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
European Union. (2012). Consolidated version of the Treaty on the Functioning of the European Union, Article 288 โ Legal acts of the Union. Official Journal of the European Union, C 326, 26 October 2012. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012E%2FTXT
Institute of Directors in South Africa. (2025). King V Code on Corporate Governance for South Africa 2025 and accompanying Glossary. IoDSA. https://www.iodsa.co.za
International Auditing and Assurance Standards Board. (2011). International Standard on Assurance Engagements 3402 โ Assurance Reports on Controls at a Service Organization. IFAC. https://www.ifac.org/_flysystem/azure-private/publications/files/b014-2010-iaasb-handbook-isae-3402.pdf
International Organization for Standardization. (2018). ISO 19011:2018 โ Guidelines for auditing management systems (3rd ed.). ISO. https://www.iso.org/standard/70017.html
International Organization for Standardization, & International Electrotechnical Commission. (2004). ISO/IEC Guide 2:2004 โ Standardization and related activities โ General vocabulary (8th ed.). ISO. https://www.iso.org/standard/39976.html
International Organization for Standardization, & International Electrotechnical Commission. (2020). ISO/IEC 17000:2020 โ Conformity assessment โ Vocabulary and general principles (2nd ed.). ISO. https://www.iso.org/standard/73029.html
United Nations. (1969). Vienna Convention on the Law of Treaties. United Nations Treaty Series, vol. 1155, p. 331. https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf
Licence: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0). You may copy, redistribute, adapt and build upon this work, for any purpose, even commercially, under the following conditions: appropriate attribution to the CIAO Standard Secretariat is given; a link to the licence is provided; and any derivative work is distributed under the same licence.
Living document. This Glossary is a living ontological frame. Concept families will expand and the relationship layer between concepts will be added in subsequent versions. Errata, additions and refinements are submitted via the Editorial Submission Framework.