Skip to Content
chevron-left chevron-right chevron-up chevron-right chevron-left arrow-back star phone quote checkbox-checked search wrench info shield play connection mobile coin-dollar spoon-knife ticket pushpin location gift fire feed bubbles home heart calendar price-tag credit-card clock envelop facebook instagram twitter youtube pinterest yelp google reddit linkedin envelope bbb pinterest homeadvisor angies

SOC 2 is an attestation report. Therefore, SOC 2 reports can only be issued by qualified CPAs. This is because they are putting their opinion on the report’s assertions, so the CPA has to understand not only the subject matter of SOC 2 but also how an attestation engagement needs to be performed. So how do you know if a CPA is qualified to issue SOC 2? See below.

Subject Matter Expert

The CPA firm (and specifically the CPA signing the SOC 2 report) should be knowledgeable on the subject matter of SOC 2 engagements. Make sure they understand IT controls, security, and other aspects that are relevant for your SOC 2 (cloud environments).

Look at any other credentials the CPA has or talk to them about their past experiences with SOC 2.

The Firm Is Licensed

The CPA firm needs to be licensed in its home state and have the ability to perform work in your state. Check out a CPA firm’s license in their home state’s board of accountancy website, and make sure the license is current.

The firm may also have “mobility” to perform in other states as well.

Peer Review

Peer review is the CPA profession’s way of “policing” itself. Another firm will come to review the CPA firm’s processes and procedures, as well as evaluate a sample of engagements from the firm in order to determine that the CPA firm is performing engagements the way they should to meet industry requirements. You should ask for a copy of their peer review report and make sure that it is current. Similar to SOC 2, peer review reports are “clean” if unqualified.

The CPA firm should be peer-reviewed through either their state board of accountancy or the AICPA.