Trust services criteria, system boundaries, testing, deviations, and opinion formation.
This chapter covers SOC 2 examinations and the trust services framework used to evaluate broader system controls. ISC emphasizes how criteria selection, system boundaries, testing, and deviations affect the final report conclusion.
SOC 2 questions should be scoped before they are answered. The selected trust services criteria, system description, and boundary determine what controls are relevant and how exceptions affect the report.
| SOC 2 issue | What to decide first | Common ISC trap |
|---|---|---|
| Trust services criteria | Which criteria are included in the engagement scope. | Assuming security, availability, processing integrity, confidentiality, and privacy are always all included. |
| Description criteria and boundaries | What system, services, components, and users are covered by the description. | Evaluating controls outside the described system boundary. |
| Risk assessment and testing | Which controls address the scoped risks and criteria. | Testing controls without linking them to criteria and risks. |
| Deviations and opinion formation | Whether exceptions are isolated, pervasive, or severe enough to affect the report. | Treating every deviation as the same report consequence. |
| Step | ISC question to ask | Reporting effect |
|---|---|---|
| 1. Select trust services criteria | Which criteria are included, and which are outside scope? | Scope determines which controls and risks matter. |
| 2. Define the system boundary | What infrastructure, software, people, procedures, data, and users are described? | Controls outside the boundary should not drive the report conclusion. |
| 3. Map risks to controls | Which controls address the scoped criteria and service commitments? | Testing should connect directly to risk and criteria. |
| 4. Evaluate deviations | Are exceptions isolated, repeated, severe, or pervasive? | Deviation significance determines whether wording or opinion changes. |
| 5. Form the conclusion | Does the evidence support the assertion, description, controls, and report opinion? | SOC 2 reporting must align scope, evidence, exceptions, and conclusion. |
| Checkpoint | Ask before evaluating evidence | Reporting consequence |
|---|---|---|
| Criteria included | Which trust services criteria are actually in scope? | Controls outside the selected criteria should not drive the conclusion. |
| Boundary clarity | Which infrastructure, software, people, procedures, data, and user responsibilities are described? | Misreading the system boundary can make relevant evidence look irrelevant, or the reverse. |
| Control-to-risk link | Which service commitment, system requirement, or risk does each tested control address? | Testing should support the scoped criteria, not a generic control inventory. |
| Exception pattern | Are deviations isolated, systemic, severe, or tied to a missing control? | The report effect depends on significance, not just the count of exceptions. |
| Opinion alignment | Does the final conclusion align with scope, management assertion, description, evidence, and deviations? | SOC 2 answers fail when the opinion wording does not match the engagement facts. |