How to Define Your SOC 2 Audit Scope

Scope is where every SOC 2 engagement begins — and where the most consequential decisions are made. Get scope right, and the examination is appropriately sized, efficiently conducted, and produces a report that buyers accept. Get it wrong in either direction — too broad or too narrow — and the consequences compound throughout the engagement.

SOC 2 audit scope defines the precise boundaries of what CertPro CPA LLC will examine: which systems are included, which services are covered, which AICPA Trust Services Criteria apply, how long the observation period will run, and which third-party providers are within scope as subservice organizations.

Every line in the SOC 2 report’s system description — the services described, the infrastructure listed, the personnel included, the data flows mapped — is a product of scope decisions made at this stage. Buyers read the system description to understand what the report covers. A scope that is too narrow leaves buyers uncertain about whether the systems they rely on are actually covered. A scope that is too broad drives up cost and fieldwork burden without adding buyer value.

This guide from CertPro CPA LLC explains how to define SOC 2 audit scope correctly — including how to identify system boundaries, select Trust Services Criteria, set the observation period, and address subservice organization dependencies.

Tl; DR:

Concern: With SOC 2 audit costs and timelines directly tied to the scope of the examination, service organizations find it hard to define their system boundaries accurately — risking over-scoped engagements that drive unnecessary cost, or under-scoped engagements that produce reports buyers reject as incomplete.
Overview: SOC 2 audit scope defines the system boundaries, applicable Trust Services Criteria, observation period, and subservice organization dependencies that CertPro CPA LLC will examine — and it is the foundational decision that determines the cost, timeline, and commercial value of every SOC 2 attestation engagement conducted under AICPA standards.
Solution: Service organizations should approach scope definition as a strategic decision — identifying the systems and services that matter to buyers, selecting criteria that reflect actual service commitments, and excluding from scope any systems or services that do not affect customer data — to produce a report that satisfies enterprise buyer requirements at the most efficient cost.

How to Define Your SOC 2 Audit Scope

SOC 2 audit scope is defined collaboratively between CertPro CPA LLC and the service organization’s management during the engagement planning phase. It covers four dimensions: system boundaries, applicable Trust Services Criteria, observation period, and subservice organization treatment.

Dimension 1 — System Boundaries

The system boundary defines which components of the service organization’s infrastructure, software, data flows, and personnel are included in the examination. It is documented in the system description in Section 3 of the SOC 2 report and forms the basis for all control testing in fieldwork.

The five system components: Every SOC 2 system description must address five components that together define the full scope of the examination:

Infrastructure — the physical and virtual hardware, networks, and facilities used to deliver the in-scope services. This includes servers, databases, networking equipment, cloud infrastructure (AWS, Azure, GCP), co-location facilities, and on-premises data centers. Only infrastructure components relevant to the delivery of in-scope services are included.

Software — the applications, operating systems, databases, middleware, and third-party software used to process customer data as part of the in-scope services.

People — the personnel who perform control activities relevant to the in-scope services, including engineering, operations, customer success, and management — not just the security team.

Processes — the manual and automated procedures used to deliver in-scope services and operate the controls that protect them. Change management, incident response, access management, monitoring, and vendor management processes are all typically within scope.

Data — the types of data processed, stored, and transmitted by the in-scope system — including the sensitivity classification of that data, the data flows that move it through the system, and the data stores where it resides.

What to include and what to exclude: The practical test for system boundary decisions is relevance to customer trust. If a system, process, or data flow could affect a customer’s trust in the service organization’s security, availability, confidentiality, processing integrity, or privacy commitments — it is within scope.

Common exclusions: Internal HR systems (unless they process in-scope customer data), internal finance systems, internal productivity tools, and development environments (provided that production data is not processed in development).

Common inclusions that organizations sometimes try to exclude: Customer-facing APIs that transmit in-scope data, third-party integrations that have access to in-scope systems, and employee access from personal devices where BYOD policies apply.

Dimension 2 — Trust Services Criteria Selection

The Trust Services Criteria selection defines which of the five AICPA criteria — Security, Availability, Confidentiality, Processing Integrity, and Privacy — will be examined. Security is mandatory. The others are selected based on the service organization’s service model and customer commitments.

For a full breakdown of each criterion and which organizations need it, see SOC 2 Trust Services Criteria.

Scope guidance by service type:

Criteria selection and buyer requirements: The most reliable guide to criteria selection is your buyers’ actual requirements. Review the security questionnaires and vendor qualification documents your buyers send — the questions they ask will indicate which criteria they expect your report to cover. Enterprise buyers in healthcare frequently require Availability. Financial services buyers frequently require Processing Integrity. EU-based buyers increasingly require Privacy.

Over-scoping risk: Including criteria that are not relevant to your service model or your customer commitments adds cost and control burden without adding value to buyers. CertPro CPA LLC advises on the optimal criteria set during scoping.

Dimension 3 — Observation Period

For SOC 2 Type 2 engagements, the observation period is the defined timeframe during which CertPro CPA LLC tests whether controls operated effectively. It is one of the most important scope decisions — and one of the most frequently misunderstood.

First-time engagement observation period: The minimum practical observation period for a first-time Type 2 engagement is six months. A six-month observation period allows first-time organizations to complete their initial engagement and receive a report in a shorter total timeline than a twelve-month period would require.

Renewal engagement observation period: Twelve months is the standard for renewal engagements — providing full annual coverage and aligning the new report’s period end date with the previous report’s, maintaining a continuous, gap-free reporting history.

Observation period start date: The observation period can only begin on a date when all in-scope controls are fully implemented and documented. This is why the SOC 2 readiness assessment and control implementation phase must be completed before the observation period start date — not after.

Aligning with buyer requirements: Some enterprise buyers specify a required observation period end date. CertPro CPA LLC structures the observation period start and end dates to satisfy specific buyer timing requirements where needed. For a full discussion of report validity, see SOC 2 Report Validity.

Dimension 4 — Subservice Organizations

Subservice organizations are third-party providers that perform functions relevant to the in-scope services — and that therefore affect the service organization’s ability to meet its Trust Services Criteria commitments. Identifying and addressing subservice organizations correctly is one of the most technically complex aspects of SOC 2 scoping.

Common subservice organizations: Cloud infrastructure providers (AWS, Azure, GCP); data center providers; payment processors; identity providers managing authentication for in-scope systems; and monitoring service providers.

Carve-out method — the subservice organization’s controls are excluded from the scope of the examination. The system description acknowledges the existence of the subservice organization, identifies the controls that customers must assume the subservice organization has in place, and notes that those controls are not covered by the examination. The carve-out method is most appropriate when the subservice organization has its own SOC 2 or ISAE 3402 report that customers can review independently.

Inclusive method — the subservice organization’s controls are included within the scope of the examination. CertPro CPA LLC extends fieldwork to cover the subservice organization’s controls. This method is less common and typically used only when the subservice organization does not have its own independent assurance report.

Most common approach: The carve-out method is used in the vast majority of SOC 2 engagements. AWS, Azure, and GCP all publish their own SOC 2 Type 2 reports — meaning they can be carved out with the expectation that customers will review the cloud provider’s report independently.

Common Scoping Mistakes and How to Avoid Them

Over-including internal systems — including internal HR, finance, or productivity systems that do not process in-scope customer data inflates scope unnecessarily. Before including any system, ask: does this system affect a customer’s trust in our security, availability, confidentiality, processing integrity, or privacy commitments?

Under-including customer-facing components — excluding customer-facing APIs, integration endpoints, or data transmission channels that customers directly rely on leaves gaps that sophisticated buyers will identify.

Starting the observation period before controls are ready — beginning the observation period before all in-scope controls are implemented and documented creates a period of time during which controls were not operating. Complete the readiness assessment and implement all controls before the observation period begins.

Selecting criteria that do not match service commitments — including Privacy when the service does not handle personal information, or Availability when there are no uptime commitments, creates unnecessary scope and control burden. Match criteria to actual service model and customer commitments.

Not addressing subservice organizations — failing to identify and address material subservice organizations in the system description produces a report that does not accurately describe the system — a finding that CertPro CPA LLC will raise during fieldwork regardless.

The Scope Statement in the SOC 2 Report

The scope of the engagement is reflected in the system description in Section 3 of the SOC 2 report and in the opinion paragraph of Section 1. Buyers read the opinion paragraph to understand which criteria were examined and which observation period was covered — and they read the system description to understand exactly which systems and services the report covers.

A clearly written system description that accurately reflects the in-scope system — including the five system components, the subservice organization treatment, and the complementary user entity controls — is one of the most important deliverables of the scoping phase. Management is responsible for the accuracy of the system description. CertPro CPA LLC reviews it for consistency with our examination findings and for completeness relative to the in-scope system.

Define Your SOC 2 Scope with CertPro CPA LLC

CertPro CPA LLC is a licensed CPA firm that conducts SOC 2 examinations under AICPA AT-C Section 205. Our scoping process is designed to produce an examination scope that accurately reflects your service model, satisfies your buyers’ requirements, and supports an efficient, appropriately priced engagement.

Explore the full SOC 2 hub for detailed guidance on every aspect of the SOC 2 process.

Ready to define your scope? Contact CertPro CPA LLC to begin your SOC 2 engagement.

FAQ