Audit Scope

Audit scope defines exactly what is and is not being examined during a SOC 2 audit. It covers which services or systems are in scope, which Trust Services Criteria categories are being assessed, which physical locations and subservice organizations are included, and the time period covered. Scope decisions have significant downstream impact: a broader scope means more controls to test, more evidence to collect, and higher audit fees, but also a more comprehensive report that satisfies more customer requirements. Common scoping decisions include which product lines to include, whether to cover the corporate network or only production systems, and whether to incorporate subservice organizations like AWS through the carve-out or inclusive method. A well-defined scope statement appears in the management description of the system section of the attestation report. Getting scope wrong is one of the most expensive mistakes in SOC 2 preparation, leading to either over-engineering or gaps that customers will flag during vendor reviews.