The Scope of a SOC (control objectives and related controls) is defined by the service organization, not the auditor. Therefore, only findings identified in the failure to achieve a control objective included in the scope are disclosed in the auditor’s opinion.