SOC 2 Criteria Selection, System Boundaries, and Opinion Formation

This chapter covers SOC 2 examinations and the trust services framework used to evaluate broader system controls. ISC emphasizes how criteria selection, system boundaries, testing, and deviations affect the final report conclusion.

In This Chapter

• Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) explains the control objectives available in SOC 2.
• SOC 2® Description Criteria and System Boundaries covers how the described system is defined for reporting purposes.
• Risk Assessment and Testing Controls for SOC 2® explains how the engagement moves from scope to evidence.
• Evaluating Deviations, Exceptions, and Forming the Opinion focuses on how testing results shape the final conclusion.

How to Use This Chapter

• Read this chapter when SOC reporting is being evaluated beyond financial-reporting relevance alone.
• Focus on which trust services criteria apply and how the system boundary affects the report.
• Return here whenever an ISC question asks how exceptions influence a SOC 2 conclusion.

In this section

• Trust Services Criteria and How SOC 2 Engagements Select Them
  Trust services criteria and how SOC 2 engagements select them.
• SOC 2 Description Criteria, System Boundaries, and Scope Definition
  SOC 2 description criteria, system boundaries, and scope definition.
• Risk Assessment, Control Testing, and Evidence Design in SOC 2
  Risk assessment, control testing, and evidence design in SOC 2.
• Evaluating Exceptions and Forming the Final SOC 2 Opinion
  Evaluating exceptions and forming the final SOC 2 opinion.