How To Scope a SOC 2 Audit

One of the most common questions we hear from clients and colleagues is how do you scope a SOC 2 audit? Based on our experience, here are some best practices for determining the scope of your audit.

First, choose the services that will be in scope.

  • For small organizations and startups, there is usually one umbrella service for the audit and the entire company will be in scope.
  • For large organizations with multiple service lines, there may only be a few service lines that need to be included. Only include the services that will be relevant to the needs of the users of the report.
  • The audit can also be limited to specific business units or subsidiaries if service lines are clearly defined.
  • Office locations may need to be considered if service lines are location-dependent.

Next, for each included service, determine the following components that make up the boundaries of the system:

  • Infrastructure
  • Software
  • People
  • Data
  • Procedures

Third, determine which SOC 2 Categories (Availability, Confidentiality, Processing Integrity, Privacy) should be included in addition to the Security Category.

  • For most organizations, Security, Availability, and Confidentiality will be the most appropriate ones to include.
  • Finally, determine the as of date for a Type 1 or the audit period for a Type 2 that will be covered.
  • Typically, your customers will expect a Type 2 period to cover six to 12 months in order to rely on it.

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc

About SOC 2 Reports

With SOC 2 reports, organizations decide which categories to include in the scope of the examination. This flexibility means reports are unique to each company, while providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.

Schneider Downs SOC Resources

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
IPE 101 – Assessing Management IPE Controls and Report Risks
IPE 101 – Differentiating Populations and Key Reports
$1 Billion a Day: Unpacking the Financial Aftershock of the Change Healthcare Cyber-Attack
IPE 101 – Defining and Understanding Information Produced by Entity
Get the Low Down Before You Download: Exploring the Temu App’s Security Risks
Understanding SOC Report Opinions
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×