Scopes

What are scopes?

Scopes are the specific boundaries and focus areas of an audit. It outlines the extent and limits of the audit, including the controls, policies, systems, assets, and locations to be reviewed, the processes or areas within the organization to be examined, and the specific objectives to be achieved.

The audit scope is determined based on the audit objectives. Setting a clear scope ensures that the auditor and the client have a mutual understanding of what will be examined and reported upon, helping to ensure the audit is conducted efficiently and effectively, targeting relevant areas that require assessment and analysis.

Create a custom audit scope in TrustOps and exclude any controls, systems, policies, and vendors not in scope for the audit. This minimizes redundant work, reduces the chance of audit exceptions, and ensures you don’t flood your auditor with unnecessary information

Getting Started

To create and maintain a scope in TrustOps, you will need to know your audit objectives, i.e., what frameworks you are looking to audit, as well as any specific controls, policies, systems, and vendors from your common control framework that are relevant.

Creating a Scope

You can create a scope for standards and define which controls, systems, policies and vendors will be part of it. 

To create a scope, 

1. Go to your TrustOps program and click on “Scopes” from the left-hand side menu.
2. Click on the “+ Create New Scope” button.
   
3. Enter a scope name. Select one or more scope standards from the search bar 
4. Click on the “Create Scope” button.
5. The newly created scope will appear in the main scope.

Controls tab

You can add or remove controls from your scope from this tab. It shows the included and excluded controls in your scope. 

To include controls,

1. Go to Controls tab in your scope.
2. Go to “Excluded Controls” tab. Select one or multiple controls and click on “+ Include in Scope” button. These controls will be added to the “Included Controls” list.
3. By default, the controls are pre populated based on the standards selected during scope creation. For example, if physical security controls are not in scope for this year’s audit as the office is under renovation, those controls would not be in scope for the audit. As a result, applying the ‘2024 SOC 2’ scope would hide all physical security controls.
   

To exclude controls,

1. Go to Controls tab in your scope.
2. Go to “Included Controls” tab. Select one or multiple controls and click on “- Exclude From Scope” button. These controls will be removed from the “Included Controls” list and added to “Excluded Controls” list.
   
   

Systems tab

You can add or remove systems from your scope from this tab. It shows the included and excluded systems in your scope. 

To include systems,

1. Go to Systems tab in your scope.
2. Go to “Excluded Systems” tab. Select one or multiple systems and click on “+ Include in Scope” button. These systems will be added to the “Included Systems” list.

To exclude systems,

1. Go to Systems tab in your scope.
2. Go to “Included Systems” tab. Select one or multiple systems and click on “- Exclude From Scope” button. These systems will be removed from the “Included Systems” list and added to “Excluded Systems” list.

Policies tab

You can add or remove policies from your scope from this tab. It shows the included and excluded policies in your scope. 

To include policies,

1. Go to Policies tab in your scope.
2. Go to “Excluded Policies” tab. Select one or multiple policies and click on “+ Include in Scope” button. These policies will be added to the “Included Policies” list.

To exclude policies,

1. Go to Policies tab in your scope.
2. Go to “Included Policies” tab. Select one or multiple policies and click on “- Exclude From Scope” button. These policies will be removed from the “Included Policies” list and added to “Excluded Policies” list.

Vendors tab

You can add or remove vendors from your scope from this tab. It shows the included and excluded vendors in your scope. 

To include vendors,

1. Go to Vendors tab in your scope.
2. Go to “Excluded Vendors” tab. Select one or multiple vendors and click on “+ Include in Scope” button. These vendors will be added to the “Included Vendors” list.

To exclude systems,

1. Go to Vendors tab in your scope.
2. Go to “Included Vendors” tab. Select one or multiple vendors and click on “- Exclude From Scope” button. These vendors will be removed from the “Included Vendors” list and added to “Excluded Vendors” list.

Scope Details

1. Go to your TrustOps program and click on “Scopes” from the left-hand side menu.
   The following screenshot shows the Scopes main page with a list of scopes.
   
   
2. Click on the scope in the list.
   The following screenshot shows the details of a scope, along with the Controls, Systems, Policies and Vendors details.

Editing Scope Details

To edit scope details,

1. Click on the scope from the scope list to open the details page
2. Click on the “Edit Scope Details” button and make changes.
   
3. Click on the “Update” button.

Using Scopes throughout TrustOps 

Now that you have set up your scopes, several pages across TrustOps will feature a scoping application banner on the top of the page.

Click on “Apply a Scope” link and select one of the scopes from the dropdown. This will now update the content on the page to only include what was part of the scope.

Read more about TrustOps and its features here!