A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud deployment model hosted in their own data center. Which of the following statements accurately describes the auditor's responsibility regarding the infrastructure in this scenario?

The auditor can rely on the cloud provider's SOC 2 report for physical security controls.

The auditor must test the physical security controls of the data center as part of the engagement.

Physical security is outside the scope of SOC 2 engagements focused on Security and Availability.

The auditor should apply the carve-out method for the infrastructure components.