The American Institute of Certified Public Accountants (AICPA) is a U.S. organization that serves the accounting profession and, in particular, CPAs. The AICPA governs a variety of standards and practices that are relevant for CPAs. Because SOC 2 reports are attestation reports, they fall under standards issued by the AICPA for both the service organization and service auditor (or CPA).
The AICPA has a variety of committees, task forces, working groups, etc. that help with the development of standards and practices. Many times, an executive committee will determine what standards and practices need to be developed, updated, etc. From there, working groups or task forces are formed to develop what is needed.
Those working groups consist of AICPA personnel, as well as CPAs in the profession that are knowledgeable of both the subject matter and professional standards. A LOT of work gets put into those groups, and a consensus is formed around the applicable subject matter. There is a technical review, then an executive committee review and approval. After that, there is more review, and standards are then put into place. This is how SSAE 18 was developed, which is the primary standard that drives SOC 2 engagements.
CPAs are also held to other general standards, such as their code of professional conduct, ethics, etc. The AICPA is also involved in the development of those standards as well.
In order for the AICPA to monitor CPA firms for compliance with these standards, there is a peer review process that CPAs have to go through for any attest engagements (including SOC 2). That process determines whether the CPA has followed all applicable standards and practices relative to SOC 2 engagements. CPAs that don’t follow those standards are subject to a variety of penalties.
The AICPA is constantly evolving along with the accounting profession. SOC 2 standards have changed over the years and will continue to change along with technology and other advancements. While there is nothing stated yet, we would expect to see further changes in SOC 2 standards as they relate to automation and new privacy standards and regulations.