For an ISAE 3000 SOC2-report the control framework, control descriptions should be described and auditable. An ISAE 3000 SOC 2 should audited by an external auditor (CPA, CA, Wirtshaftsprufer, expert comptable or RA).
The scope of an ISAE 3000 is in generally free, the scope should relate to non-financial processes. If the Trust Service Criteria are applied, the control framework should be described in accordance with these.