Scoping Considerations in a SOC 2 Report

One of the unique aspects of SOC 2 reports is that organizations have a great deal of flexibility in determining the scope of their report.  This blog post covers a few common scoping considerations that companies face.

Service Provided

The services included within the scope of a SOC 2 report are one of the main audit planning considerations.  Organizations often have distinct service lines that use a separate group of employees and/or infrastructure, hardware, and software. The service lines may also have very distinct and separate user entities.  Some organizations choose to complete separate SOC 2 audits for each distinct service line, while others include multiple services within the scope of their SOC 2 report.  Including all services within the scope of a single SOC report can be a good choice if your organization’s clients use multiple services.  Conversely, if your clients generally only use one of your unique services, it may be better to only include that unique service within the SOC 2 report to ensure the users of the report are only considering the relevant details of the service they receive.

Newly Acquired Subsidiaries

Similar to the Services Provided section described above, the inclusion of newly acquired subsidiaries within a SOC 2 report can be an impactful decision.  When a subsidiary is newly acquired, there may be incentives to include the subsidiary within the scope of the next SOC 2 report, however this can present challenges if the conditions do not exist to accommodate this transition.  These challenges include lack of mature control processes, lack of documentation related to the control’s operation, lack of uniformity in control processes, lack of consistent operation of controls, and lapse in operation of controls during the transition process, among others.  For organizations that aim to include newly acquired subsidiaries within their next SOC 2 report, we recommend that they first complete a gap analysis to identify any gaps with respect to the design and operation of their system of controls.  Once the identified gaps are remediated and all controls have operated throughout the reporting period of the parent organization, we recommend that the newly acquired subsidiary is included within the SOC 2 report.  This process can take several months depending on the control posture of the subsidiary, however the result is a smooth transition with minimal findings noted within the new SOC 2 report.

Locations and Geography

The location in which the service is provided should also be considered when defining the scope of the SOC 2 report. This factor is especially important for data center colocation providers who may choose to complete a SOC 2 report over a subset of their physical data center locations.  Decreasing the amount of data centers in scope can reduce the complexity of a SOC 2 audit.  Some companies consider decreasing the locations in scope of the SOC 2 audit if there is only demand for a SOC 2 report from clients using specific data center locations.  Similarly, certain services of an organization may be based out of specific geographical locations for specific customers in matching locations.  Depending on the needs of the customers receiving the service, the scope of the SOC 2 report could be modified.

Trust Services Categories

SOC 2 audits focus on the protection and privacy of data. Auditors assess the system-level controls and compare them to the five Trust Services Categories as developed by the AICPA. The Trust Services Categories are as follows:

  • Security: this criterion refers to the protection of system resources against unauthorized access to avoid the misuse of software, data theft, and improper disclosure of information. 
  • Availability: this criterion refers to the accessibility of the system in the context of network performance and incident handling. 
  • Processing Integrity: this criterion addresses whether or not the system achieves its purpose and ensures that data processing is complete, valid, accurate, timely, and organized. 
  • Confidentiality: this criterion refers to data that is restricted access and the ability to adequately safeguard information being stored or processed. 
  • Privacy: this criterion addresses the system’s collection, use, retention, disclosure, and disposal of personal information.

 

Although each category is important to consider, organizations seeking to complete a SOC 2 audit should evaluate the services offered and the commitments they make with respect to the services.  Security is always in scope within a SOC 2 audit, but availability, processing integrity, confidentiality, and privacy are optional categories that an organization’s management can choose to include within the report if it is relevant to their customers.  For example, some organizations have service level agreements with their clients that specify that their service will be available 99.9%+ of the time during any given month the service is provided.  In that example, it is recommended that management of the organization include the availability category within the scope of the SOC 2 report because user entities of the service will expect to see controls in the SOC 2 report related to system availability.  Other times, it is better to exclude certain categories if they are not relevant to the service provided.  For example, if an organization only provides physical infrastructure to its clients and does not have custody of data, the privacy category would not be relevant to include within the report since there are no specific processes over privacy employed by the organization and no commitments related to privacy have been made.

 

Trust Services Criteria Exclusions

The AICPA Assurance Services Executive Committee (ASEC) has developed a set of criteria (trust services criteria) to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.  These criteria highlight specific points of focus that should be met in order to ensure an organization’s controls are suitably designed and operating effectively. 

In addition to excluding Trust Services Categories from the scope of the SOC 2 report, specific Trust Services Criteria can be “carved out” or presented as “not relevant”.  This occurs when the criteria are not relevant to the organization receiving a SOC 2 report or when the criteria are addressed by controls at one of their vendors.  There are a variety of reasons why specific Trust Services Criteria are excluded, but the most common is that the criteria are “carved out”.  Criteria are “carved out” from the SOC report when the organization relies on their vendor’s controls to address the criteria.  Controls at an organization’s vendor that they rely on to address trust services criteria are called complementary subservice organization controls and these are described within the SOC report.  Criteria can also be presented as “not relevant” if they have no bearing on the service(s) covered in the SOC 2 report.  

Considering and defining the scope of your SOC 2 audit is an important part of planning the project and contacting your SOC auditor can help inform you on the topics described above based on your individual goals.  Thanks for reading!