SOC 2 is an attestation report. Therefore, SOC 2 reports can only be issued by qualified CPAs. This is because they are putting their opinion on the report’s assertions, so the CPA has to understand not only the subject matter of SOC 2 but also how an attestation engagement needs to be performed. So how do you know if a CPA is qualified to issue SOC 2? See below.
The CPA firm (and specifically the CPA signing the SOC 2 report) should be knowledgeable on the subject matter of SOC 2 engagements. Make sure they understand IT controls, security, and other aspects that are relevant for your SOC 2 (cloud environments).
Look at any other credentials the CPA has or talk to them about their past experiences with SOC 2.
The CPA firm needs to be licensed in its home state as well as have the ability to perform work in your state. Check out a CPA firm’s license in their home state’s board of accountancy website, and make sure the license is current.
The firm may also have “mobility” to perform in other states as well.
Peer review is the CPA profession’s way of “policing” itself. Another firm will come to review the CPA firm’s processes and procedures, as well as evaluate a sample of engagements from the firm in order to determine that the CPA firm is performing engagements the way they should meet industry requirements. You should ask for a copy of their peer review report and make sure that it is current. Similar to SOC 2, peer review reports are “clean” if unqualified.
The CPA firm should be peer-reviewed through either their state board of accountancy or the AICPA.