The reports focus on controls grouped into five categories called Trust Service Criteria.
The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis.
Trust Services Criteria application in actual situations requires judgement as to suitability.
The Trust Services Criteria are used when "evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, processing integrity, confidentiality or privacy of information and systems used to provide product or services" - AICPA - ASEC.
Organization of the Trust Services Criteria are aligned to the COSO framework's 17 principles with additional supplemental criteria organized into logical and physical access controls, system operations, change management and risk mitigation.
The SOC 2 Audit provides the organization’s detailed internal controls report made in compliance with the 5 trust service criteria.