Understanding Your SOC 1 Report: What is Scope?

by Joseph Kirkpatrick / January 3rd, 2018

So What Is Scope, Anyway?

No matter what kind of data you’re protecting – financial information, cardholder data, ePHI – you need to understand where your assets reside and what controls are protecting them. This is why the scoping process is so important. If you don’t know where your data is, how do you plan to protect it?

What is scope? How do you determine an accurate definition of scope? The scope of an assessment identifies the people, processes, and technologies that interact with, or could otherwise impact, the security of the information to be protected. Scoping is the first step for any assessment and also one of the most important elements of an information security assessment because ignoring any of the relevant people, processes, or technologies could severely impact the quality and reliability of the entire assessment.

SOC 1 reports were primarily designed to report on the controls of service organizations that are relevant to their client’s financial statements. For a SOC 1 audit, the scoping process may look something like this:

  • Which locations are involved?
  • Do you have any third parties? What services do they provide?
  • How many business applications and technology platforms are involved?
  • Which systems are involved?
  • What people are responsible?
  • Which processes focus on internal control over financial reporting?

As you work with your auditor, you will determine a proper definition of scope. Scoping is critical to putting boundaries in place for collecting evidence. If you have questions about scoping, SOC 1 audits, or want help demonstrating to your clients your commitment to security and compliance, contact us today.

One of the very first things you’ll work with in a SOC 1 audit is the definition of scope. As you work with your auditor, you will define what the proper scope is for the audit, such as what locations are involved, which services are in scope for the audit, which processes, which vendors are involved. Are there outsourced services from vendors that are writing code for you or providing IT services for you? The proper definition of scope is very critical in order to put those boundaries in place and understand what kind of evidence has to be collected after the fact. So, begin thinking about scope and how you would scope the audit so that you can discuss that with your SOC 1 auditor.