SOC 1 or SOC 2 Scope Questionnaire

This questionnaire is designed for Lazarus Alliance, an AICPA-accredited Assessment Organization, to document and validate the in-scope boundary prior to conducting a full assessment. It aligns with AICPA requirements for defining the authorization boundary, data flows, external dependencies, and other key scoping elements.

Thank you for beginning the scoping process for your upcoming SOC 1 (SSAE 18 / AT-C Section 320) or SOC 2 examination.

This Scope Questionnaire is the first key step in defining the boundaries of your SOC report. Your responses will help us to:

  • Clearly understand the services you deliver to user entities and customers
  • Identify the in-scope systems, applications, infrastructure, people, and processes
  • Determine the relevant control objectives (for SOC 1 – internal control over financial reporting) or Trust Services Criteria (for SOC 2 – Security, and optionally Availability, Processing Integrity, Confidentiality, and/or Privacy)
  • Confirm any subservice organizations (carve-out or inclusive presentation) and their role in your control environment
  • Establish an accurate system description and examination scope that aligns with AICPA standards and meets the assurance needs of your stakeholders

The questionnaire is structured into sections to ensure a comprehensive scope determination. It should be completed based on CSP-provided documentation, interviews, diagrams, and evidence.

About this Questionnaire

Lazarus Alliance, a licensed CPA firm with specialized IT audit expertise, will coordinate directly with your organization to prepare for and schedule your official SOC 1 and/or SOC 2 examination.

Our experienced SOC assessors, licensed CPAs, and advisors will help determine the appropriate scope; such as SOC 1 for internal control over financial reporting or SOC 2 for the Trust Services Criteria (Security and optionally Availability, Processing Integrity, Confidentiality, and/or Privacy), based on your service offerings, customer requirements, and stakeholder needs.

Upon successful completion of the independent examination and issuance of your SOC report (Type 1 for design or Type 2 for design and operating effectiveness over a period), your organization will demonstrate reliable, third-party assured controls, enhancing trust with customers, partners, and prospects.

Lazarus Alliance, with deep SOC expertise and our innovative IT Audit Machine software, is historically about 46% faster than traditional firms, meaning your SOC compliance and attestation can often be achieved in 5–9 months. — Michael Peters, CEO & Founder

Source Information:

https://lazarusalliance.com/services/audit-compliance/soc/

Organization & Contact Information

Report Type & Framework

Services & System Description

Drag & Drop Files, Choose Files to Upload

Boundaries & In-Scope Components

Risk & Control Environment (High-Level)

Additional Considerations

Next Steps

Thank you for completing this questionnaire. A Lazarus Alliance Cybervisor will be in contact with you soon.

Frequently Asked Questions

We provide all current SOC suites:

  • SOC 1 (ICFR – controls over financial reporting)
  • SOC 2 and SOC 3 (Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy)
  • SOC for Cybersecurity
  • SOC for Supply Chain

  • SOC 1 focuses on controls relevant to financial reporting (ICFR).
  • SOC 2 examines non-financial controls based on the AICPA Trust Services Criteria (most commonly Security + additional criteria).
  • SOC for Cybersecurity is a broader entity-wide cybersecurity risk management examination that results in a report suitable for public distribution.

For first-time (Type 1 or Type 2) examinations, the process usually spans 6–12 months from kickoff to report issuance. A Type 2 examination requires a minimum 6-month observation period (most organizations choose 12 months for stronger market acceptance).

  • Type 1 tests the design and implementation of controls as of a specific point in time.
  • Type 2 tests both the design and operating effectiveness of controls over a period (minimum 6 months). Type 2 reports are significantly more valuable to customers and prospects.

Yes. We provide gap/readiness assessments, remediation support, and full attestation services. Many clients engage us for the entire lifecycle (readiness → remediation → examination) to ensure the smoothest and most successful outcome.

Yes. All of our SOC engagement leaders and examiners are licensed CPAs with extensive SOC experience, and Lazarus Alliance maintains robust professional liability (E&O) coverage specific to attestation services.

Absolutely. We commonly perform SOC 2 examinations that include Privacy alongside Security and other applicable criteria, which is especially valuable for organizations handling personal information (PII/PI) and needing to demonstrate HIPAA, CCPA/CPRA, GDPR, or other privacy compliance alignment.