The AICPA defines a scope limitation as “An inability to obtain sufficient appropriate evidence.” In a SOC
1 or SOC 2 examination, a scope limitation may occur for the following reasons:
- Circumstances beyond the control of management. For example, documents that the service
auditor considers necessary to inspect were in the custody of a vendor whose services are no longer
in use and the documents no longer exist.
- Circumstances relating to the nature or timing of the service auditor's work. For example, a
physical process that the service auditor considers necessary to observe may have occurred before
the service auditor’s engagement or may not be performed regularly during the examination period.
(However, an inability to perform a specific procedure does not constitute a scope limitation if the
service auditor is able to obtain sufficient appropriate evidence by performing alternative
- Limitations imposed by management (or the engaging party, if different). For example,
management may have imposed a limitation that prevents the service auditor from performing a
procedure that the service auditor considers necessary in the circumstances. Limitations of this kind
may have other implications for the engagement, such as for the service auditor's consideration of
risks of material misstatement and for engagement acceptance and continuance.
When a scope limitation occurs, the auditor may be unable to test certain controls which are necessary
to address one or more control objectives in a SOC 1 audit or Trust Service Criteria (TSC) in a SOC 2
audit. The AICPA provides 2 options for the service auditor’s opinion when this happens:
- Qualified opinion – if the scope limitation is material but not pervasive (i.e., only one or a small
number of controls can not be tested because of the scope limitation)
- Disclaimer of opinion – if the scope limitation is material and pervasive (i.e., a significant number
of controls can not be tested because of the scope limitation)
A qualified opinion is more favorable than a disclaimer of opinion because the qualification can be
limited to one or a small number of control objectives (SOC 1) or TSC (SOC 2) whereas the disclaimer
applies to the description of the system as a whole.
When there is a scope limitation and corresponding qualified opinion, management has the opportunity
to provide an explanation as to why it occurred and other qualitative information in an unaudited
section (usually section 5) of the SOC report. In most instances, this is sufficient to alleviate any
questions or concerns of readers of the report.