SOC 2

How to Scope Systems for SOC 2 (Without Over-Auditing)

A CPA firm's step-by-step method for drawing the SOC 2 system boundary — the five DC section 200 components, subservice organizations, carve-out vs inclusive, and which Trust Services Categories to include.

The short answer

Scoping a SOC 2 means drawing a system boundary around the five system components defined in AICPA DC section 200 — infrastructure, software, people, procedures, and data — that store, process, or transmit customer data or support your service commitments. You include those systems, carve out cloud providers such as AWS, GCP, and Azure as subservice organizations, and exclude unrelated internal tools and staging environments. Scope also means choosing which Trust Services Categories to test.

Key takeaways

  • Scope = the system boundary around five components (DC 200, DC3): infrastructure, software, people, procedures, and data — not a list of controls.
  • Only Security is mandatory. Availability, Processing Integrity, Confidentiality, and Privacy are optional categories selected from your service commitments — each one expands testing.
  • Cloud providers are carved out, not tested. AWS, GCP, and Azure are subservice organizations; you disclose them and the complementary controls (CSOCs) you assume, but their controls stay outside your audit.
  • Right-size, don't over-audit. A vendor is only a subservice organization if its controls are necessary to meet a criterion; ordinary vendors stay out of scope entirely.

What "scope" actually means in SOC 2 — the system boundary and five components

In a SOC 2 examination, "scope" is not a list of controls — it is the system boundary: the specific set of things your report describes and your auditor tests. That boundary is defined in the AICPA's DC section 200 (2018 Description Criteria, with revised implementation guidance — 2022), the criteria your Section 3 system description must satisfy. Get the boundary right and everything downstream — control selection, evidence requests, cost — follows cleanly. Get it wrong and every phase inherits the error.

DC section 200 frames the description around required disclosures: the types of services provided, the principal service commitments and system requirements, the components of the system, and the period covered. Two of those disclosures do the heavy lifting during scoping. The system components (criterion DC3) tell you what is in the boundary; the service commitments and system requirements tell you which Trust Services Categories the boundary must satisfy. Naming both explicitly is what separates a defensible scope from a guess.

The five system components: infrastructure, software, people, procedures, data

DC3 defines a system as five interacting components. Scoping means drawing the boundary around specific instances of each one — this production database, that identity provider, these on-call engineers — rather than around the abstract category. The table maps each component to a concrete SaaS example.

The five SOC 2 system components (DC3) mapped to a SaaS example
Component (DC3)DefinitionIn-scope example (SaaS)Common out-of-scope example
InfrastructureThe physical and virtual resources that support the systemProduction compute, networking, and databases in AWS us-east-1The corporate office Wi-Fi and printers
SoftwareThe programs and operating software that run the systemThe production application, container images, and CI/CD pipelineMarketing website CMS with no customer data
PeopleThe personnel involved in operating and using the systemEngineering, SRE/security, and support staff with production accessSales and finance staff with no production access
ProceduresThe automated and manual procedures that operate the systemAccess reviews, change management, incident response runbooksInternal expense-approval workflow
DataThe information used, processed, or produced by the systemCustomer data in the application database and backupsInternal HR records unrelated to the service

The pattern is consistent: a component instance is in scope when it touches customer data or supports a service commitment, and out of scope when it does neither.

Production environment vs corporate environment — where founders draw the line

The most common founder question is whether laptops, HR tools, and the marketing site are "in scope." The clean line is your production environment — the systems that deliver the service and hold customer data — plus the corporate systems that govern access to production (identity, code, and endpoint management). Your Okta or Google Workspace tenant, your GitHub organization, and your MDM are in scope because they control who reaches production. A corporate finance tool that never touches production or customer data usually is not. Scope also has boundary dimensions beyond production-versus-corporate: which product lines, regions, legal entities, and data centers are inside the boundary. A multi-product company can scope one product now and expand later, but the report must say exactly which.

Step-by-step: how to define your SOC 2 scope

The workflow below is the seven-step method we run in a scoping session — the same sequence reflected in our audit methodology. Each step produces an artifact that feeds the next.

Step 1 — Inventory what stores, processes, or transmits customer data

Start with data, not systems. List every place customer data lives or moves: application databases, object storage, message queues, data warehouses, backups, and logs. Add the systems that operate on that data — the application itself, batch jobs, and integrations. This inventory is the raw material for the boundary; anything that stores, processes, or transmits customer data is a candidate for in-scope.

Step 2 — Map the data flow, then map each asset to the five components

Before you assign components, draw the data-flow diagram — the single most useful scoping artifact. Trace customer data through four stages: how it enters (APIs, web app, file uploads), where it is stored (primary database, caches, backups), how it is processed (application services, pipelines, analytics), and how it exits (exports, webhooks, third-party integrations). The trust boundary is the line around everything in that flow plus the systems that govern access to it. Once the flow is clear, tag each asset against the five DC3 components (infrastructure, software, people, procedures, data). Any asset that appears in the flow but you intend to exclude needs a documented reason.

Step 3 — Classify every vendor: subservice organization or ordinary vendor?

Not every third party belongs in scope. The test from the AICPA guidance is whether the vendor's controls are necessary, in combination with your own controls, to meet one or more applicable trust services criteria. If yes, it is a subservice organization (e.g., your cloud host). If no, it is an ordinary vendor that can stay out of scope entirely. This single question prevents both over-scoping (auditing your CRM) and under-scoping (ignoring your hosting provider). It sits at the heart of good vendor management and third-party risk.

Vendor classification triage — subservice organization vs ordinary vendor
Example vendorControls necessary to meet a TSC?ClassificationScope treatment
AWS / GCP / Azure (hosting)Yes — physical and infrastructure securitySubservice organizationCarve out; disclose and rely on their SOC 2
Stripe (payment processing)Often yes if in the service flowUsually a subservice organizationCarve out; document CSOCs
Datadog (monitoring/logging)Sometimes — if it processes in-scope dataJudgment call; often subservice orgAssess data exposure, then treat accordingly
HR / payroll SaaSNo — does not touch the service or customer dataOrdinary vendorOut of scope entirely

The takeaway: classification is driven by necessity to a criterion, not by how "important" a vendor feels.

Step 4 — Choose carve-out vs inclusive for each subservice organization

For every subservice organization, pick a method (detailed in the comparison below). In nearly all cases you will use the carve-out method: the provider's controls are excluded from your description and testing, but you name the provider, describe its services, and list the complementary controls you assume. The inclusive method — describing and testing the provider's controls inside your report — is technically available but requires the provider's cooperation and written assertion, which cloud providers do not offer.

Step 5 — Select your Trust Services Categories

Scope is not only which systems but which categories. Under TSP section 100, Security (the Common Criteria, CC1–CC9) is mandatory; Availability, Processing Integrity, Confidentiality, and Privacy are optional and selected from your service commitments and system requirements. Each added category brings its own criteria and expands the controls mapped to each Trust Services Criterion, along with the evidence you must produce.

Step 6 — Document CUECs and CSOCs

A complete scope names the controls you do not operate but rely on. Complementary user entity controls (CUECs) are controls you assume your customers implement — configuring SSO, managing their own admin accounts — for your controls to meet the criteria. Complementary subservice organization controls (CSOCs) are the equivalent for carved-out providers. Both are disclosures your Section 3 description must include, and defining them during scoping draws the responsibility line cleanly.

Step 7 — Write the scope statement and lock it before fieldwork

Finally, write a scope statement that names the in-scope services, the system boundary and its components, the subservice organizations and method for each, the selected categories, the CUECs and CSOCs, and the period covered. This becomes the scope paragraph of your report and the boundary in Section 3 — the exact text a buyer reads. Lock it before the observation period begins. Because a Type II tests operating effectiveness across a defined window, mid-period scope changes create testing gaps: add a system or acquire a company mid-period and that change may not be fully testable until the next cycle (which is why scope interacts closely with your choice of Type I vs Type II and observation period). With scope locked, move to a SOC 2 readiness checklist.

“Scoping is the single most impactful decision in a SOC 2 engagement. Over-scope and you burn budget auditing systems no buyer cares about; under-scope and you leave a gap that fails enterprise diligence. The right boundary covers exactly what your customers rely on — nothing more.”

— Sébastien Ruosch, CPA, Director of Audits at Auditsuisse

In-scope vs out-of-scope: a decision matrix

The two questions that settle almost every scope decision are: does it touch customer data, and does it support a service commitment? The matrix below applies them to common assets.

In-scope vs out-of-scope decision matrix (illustrative)
System / componentExample assetTouches customer data?Supports a service commitment?Decision
Production applicationCustomer-facing SaaS appYesYesIn scope
Application databasePrimary DB + backupsYesYesIn scope
Identity providerOkta / Google WorkspaceGoverns accessYesIn scope
Source controlGitHub organizationGoverns prod codeYesIn scope
Staging / dev environmentNon-prod with synthetic dataNo (no real customer data)NoOut of scope
Marketing websiteStatic CMS, no customer dataNoNoOut of scope
Internal analyticsThird-party product analyticsDepends on data sentNoAssess, usually out

When staging genuinely holds no production data, excluding it is both correct and defensible — but document that it uses synthetic data, or an auditor will ask.

Carve-out vs inclusive method explained

Once a vendor is a subservice organization, DC section 200 (criterion DC7) gives you two ways to treat it in the report. The choice affects report length, cost, and who has to cooperate.

Carve-out vs inclusive method for subservice organizations
DimensionCarve-out methodInclusive method
Whose controls are describedOnly yours; the subservice org is named and its services describedYours and the subservice org's controls
Whose controls are testedOnly yoursYours and the subservice org's
Subservice cooperation requiredNoneYes — including a written assertion
Disclosure required (DC7)Name the org, its services, and the CSOCs you assumeFull description of the org's system and controls
Effect on report length / costShorter, lower costLonger, higher cost
When to chooseAlmost always — especially for cloud providersRare — when you control the subservice org and want it inside one report

Why AWS, GCP, and Azure are always carved out in practice

Major cloud providers are, as a matter of near-universal practitioner practice, treated as carved-out subservice organizations. This is not an AICPA rule — the inclusive method is technically permitted for any subservice organization — but it is what happens in reality: hyperscalers will not participate in a customer's audit, provide a written assertion, or open their controls to your auditor. Instead they publish their own SOC 2 report, which you obtain and rely on. You disclose the provider, describe the services it supplies, and document the CSOCs you assume (for example, that AWS enforces physical data-center security).

When the inclusive method makes sense (rarely)

The inclusive method is worth considering only when you have influence over the subservice organization — for instance, a wholly owned affiliate or a small, closely partnered processor — and a buyer wants a single report covering both. Even then, it requires the subservice organization's written assertion and adds testing scope, so most teams still carve out. The CUEC/CSOC quick reference below keeps the complementary-control vocabulary straight.

CUEC vs CSOC quick reference
TermWho implementsDC referenceExample control
CUEC — complementary user entity controlYour customer (the user entity)DC section 200, DC6Customer configures SSO and manages its own admin access
CSOC — complementary subservice organization controlThe carved-out subservice organizationDC section 200, DC7Cloud provider enforces physical data-center security

Choosing Trust Services Categories and how they change scope

Category selection is a scope decision with real cost consequences: each optional category adds criteria and evidence. Anchor the choice to your service commitments and system requirements — the DC-defined concept that governs which categories apply — rather than adding categories speculatively.

Trust Services Category selection guide
CategoryMandatory?Include when...Typical trigger (SaaS / healthtech)
Security (Common Criteria)YesAlways — CC1–CC9 are the baselineEvery SOC 2 report
AvailabilityNoYou make uptime or SLA commitmentsContracts promise 99.9% uptime
Processing IntegrityNoAccuracy of processing matters to customersPayments, billing, data transformation
ConfidentialityNoYou commit to protecting confidential (non-personal) dataHandling customer IP or trade secrets
PrivacyNoYou collect and govern personal information per a privacy noticeConsumer PII; healthtech handling of personal data

Most B2B SaaS start with Security plus Availability; healthtech handling personal data often adds Confidentiality and Privacy and pairs SOC 2 with a HIPAA assessment.

Worked example — a Series A B2B SaaS on AWS (with a healthtech PHI variant)

Here is an anonymized scope statement of the kind that becomes the boundary in Section 3 of a report.

In-scope system. The production SaaS application hosted on AWS (us-east-1), its application database, object storage, and supporting data pipelines; plus the corporate systems that govern access to production — the Okta identity tenant, the GitHub organization for production code, and endpoint management for engineers with production access.

Subservice organizations (carved out). AWS (hosting/infrastructure) and the payment processor. Each is named, its services described, and the CSOCs assumed are documented; the company relies on each provider's own SOC 2 report.

Out of scope. Staging and development environments (synthetic data only), the marketing website, and internal tools that do not touch customer data (HR, expense management).

Categories. Security and Availability.

Healthtech PHI variant. If the same platform handles protected health information, the data component now includes PHI, so the boundary adds the systems that store and transmit it, and the category selection typically adds Confidentiality and Privacy. The PHI-handling systems are scoped jointly with the HIPAA analysis so one boundary serves both examinations.

Compliance-automation platforms such as Vanta, Drata, and Secureframe can auto-discover in-scope infrastructure and monitor for scope drift between periods — useful for keeping the boundary current. They accelerate inventory, but they do not replace the judgment calls above: whether a vendor is truly a subservice organization, which categories your commitments require, and where the production/corporate line sits are decisions a qualified auditor validates.

Common scoping mistakes (and how to avoid them)

Over-scoping. Including non-critical systems and unneeded categories inflates auditor effort, evidence volume, and cost without improving buyer trust. Start from the data flow and add only what touches customer data or a service commitment.

Under-scoping. Excluding a system that quietly processes customer data (a logging pipeline, an analytics sink) creates a gap that enterprise procurement diligence will find. Trace the full data flow, including egress, before excluding anything.

Misclassified vendors. Treating an ordinary vendor as a subservice organization wastes effort; missing a real subservice organization (your host) undermines the report. Apply the necessity-to-a-criterion test consistently.

Scope drift between periods. Adding products, regions, or entities mid-observation-period breaks testability. Lock scope before the window opens and manage changes deliberately. Many scope-related exceptions surface in our roundup of common SOC 2 findings, and scope directly drives your audit timeline. For definitions of the terms used here, see the compliance glossary.

Frequently asked questions

How do you scope systems for a SOC 2 audit?

Draw a boundary around the five system components in AICPA DC section 200 — infrastructure, software, people, procedures, and data — that store, process, or transmit customer data or support your service commitments. Include those systems, carve out cloud subservice organizations, and exclude unrelated internal tools and staging environments.

What is the difference between the carve-out and inclusive method in SOC 2?

Under the carve-out method, a subservice organization's controls are excluded from testing but named and disclosed alongside the complementary controls you rely on. Under the inclusive method, the subservice organization's controls are described and tested inside your report. Carve-out is far more common because it needs no cooperation from the provider.

Is AWS in scope for my SOC 2 report?

In practice, no. Cloud providers like AWS, GCP, and Azure are treated as carved-out subservice organizations. You disclose them by name, rely on their own SOC 2 report, and document the complementary subservice organization controls you assume — but their controls are not tested inside your audit.

What is a subservice organization in SOC 2?

A subservice organization is a vendor whose controls are necessary, combined with your own, to meet one or more trust services criteria — for example, your cloud host. If a vendor's controls are not necessary to meet a criterion, it is an ordinary vendor and can stay out of your SOC 2 scope entirely.

How do I decide which Trust Services Criteria to include in SOC 2?

Security (the Common Criteria) is mandatory. Add Availability if you make uptime commitments, Processing Integrity for transaction or payment accuracy, Confidentiality for non-personal sensitive data, and Privacy for personal data governed by your privacy notice. Each added category expands testing and evidence scope.

What are complementary user entity controls (CUECs)?

CUECs are controls a SOC 2 report assumes your customers implement so your controls can meet the applicable criteria — for example, configuring SSO or managing their own admin access. Defining CUECs during scoping clarifies where your responsibility ends and the customer's begins.

What happens if you over-scope or under-scope SOC 2?

Over-scoping adds non-critical systems and unneeded categories, inflating auditor effort, evidence volume, and cost without improving buyer trust. Under-scoping omits systems that touch customer data, creating gaps that fail enterprise procurement diligence. The right scope covers exactly what customers rely on.

Sources & further reading

  1. AICPA & CIMA — DC section 200, 2018 Description Criteria for a Description of a Service Organization's System in a SOC 2® Report (With Revised Implementation Guidance — 2022) — the source of the five system components (DC3) and the CUEC/CSOC disclosures (DC6, DC7).
  2. AICPA & CIMA — TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus — 2022) — the criteria and categories you select during scoping.
  3. AICPA — Statement on Standards for Attestation Engagements No. 18, as amended (through SSAE No. 21, for reports dated on or after June 15, 2022). SOC 2 examinations are performed under AT-C section 105 and AT-C section 205 (Assertion-Based Examination Engagements); AT-C section 320 applies to SOC 1, not SOC 2.
Sébastien Ruosch Reviewed by Sébastien Ruosch, CPA (US & Swiss licensed), Director of Audits at Auditsuisse. Last reviewed July 1, 2026.

Get your scope right the first time

Auditsuisse is a US & Swiss licensed CPA firm. We'll run a scoping session, draw a defensible system boundary, classify your subservice organizations, and quote a fixed fee — see our SOC 2 audit services and scope optimization, or book a call.

Request Consultation
Back to top ↑