Multiple service offerings
Most Type 2 SOC reports include a single service offering that was operational during the entire period covered by the report. In some instances, however, a Type 2 SOC report may include multiple service offerings. For these SOC reports, it is necessary that each of the services be operational throughout the entire period. Since the auditor’s opinion covers the entire period, it can be misleading to users of a SOC report if any of the services were not operational for the entire period. There may be rare exceptions to this, however. For example, an organization may have a brand new service offering that goes live during the period covered by a Type 2 SOC report. If the same policies, procedures and control activities apply to the new service offering as they do to the rest of the system, then it may be acceptable to include the new service in the SOC report even though it was not operational for the entire period. Some key considerations for this type of scenario are:
- The new service offering should not be a significant element of the system. In other words, it should not represent the primary service and should be more akin to an additional feature.
- Human Resources policies and procedures applicable to the system as a whole should apply to the new service from the date that it went live.
- Change management policies and procedures applicable to the system as a whole should apply to the new service from the date that it went live.
- Logical access controls applicable to the system as a whole should apply to the new service from the date that it went live.
- The new service and date that it went live should be described in the system description under “Significant Changes to the System” so that the scope is clear to a user of the report.
When an organization that receives a Type 2 SOC report acquires another company part way through its examination period, the acquired entity is generally excluded from the scope of the report. The acquisition is described under “Significant Changes to the System” and the acquired entity is typically added to the scope of the SOC report in the period following the acquisition. This ensures that controls in the SOC report are applied uniformly across the organization for the entire period. In some instances, the acquired company may not be fully integrated into the organization by the time the next Type 2 SOC reporting period begins and the controls of the organization might not be adopted by the acquired company for some or all of the reporting period. In these cases, the acquired company may continue to be excluded from the scope of the Type 2 SOC report and the exclusion should be described in the system description.
New component or application
Another scoping consideration for Type 2 SOC reports is a situation where a new component or application was implemented part way through the period covered by the report. For example:
- A company may begin using a new vulnerability scanning tool part way through the period.
- A company changes infrastructure hosting providers part way through the period.
Generally, this is acceptable and just needs to be described in the system description under “Significant Changes to the System”.
Change in performance of controls
A final scoping consideration for Type 2 SOC reports is when the performance of specific controls changes part way through the period. For example,
- Frequency of vulnerability scanning changes from quarterly to monthly.
- Security awareness training is added for new hires mid-period.
In these situations, the change in the controls should be described in both the system description (section 3) and in the testing matrix in section 4 of the report.
Thanks for reading!