Skip to main contentChat with us

Learn · SOC Reports

Who Can Perform
a SOC 2 Audit?

Only a licensed CPA firm can perform a SOC 2 examination and issue the report. Readiness consultants, compliance automation platforms, and badge vendors can prepare you for the examination — none of them can sign the opinion. Here is why, and how to verify the firm that will sign yours.

Attestation, not certification: SOC 2 is performed under AICPA attestation standards, so the signing firm must be a licensed, independent CPA firm enrolled in peer review. There is no SOC 2 certificate and no certification body.

CPAthe only firms that can sign a SOC 2 opinion
AT-C 205the AICPA standard behind the examination
500+audits delivered by TCSA

Plain-English explainer · AICPA attestation rules · Last reviewed July 2026

Only a licensed CPA firm can perform a SOC 2 examination and issue the report. SOC 2 is an AICPA attestation engagement, so the firm signing the opinion must be independent, licensed by a US state board of accountancy, and enrolled in peer review. Consultants, platforms, and non-CPA “certifiers” can prepare you — but they cannot issue the opinion. The rule follows from what a SOC 2 actually is. SOC stands for System and Organization Controls, an AICPA framework, and a SOC 2 is not a certificate anyone can award — it is an examination performed under the AICPA’s attestation standards, culminating in a written opinion. Attestation is regulated public accountancy, which is why the attestation your customers rely on can only come from a CPA firm. That one fact sorts the whole market: the opinion comes from the CPA firm; everything else — readiness consulting, automation tooling, badges — is preparation.

The Rule

Why Only a CPA Firm Can Sign

A SOC 2 examination is performed under the AICPA’s attestation standards (SSAE) — AT-C section 105, the concepts common to all attestation engagements, and AT-C section 205, which governs examinations. Attestation is part of the regulated practice of public accountancy, so the practitioner must be a CPA firm licensed by a US state board of accountancy. Four more requirements attach before the firm can take the engagement:

  • Licensure — the firm holds a current license or registration with a US state board of accountancy, and the report is issued in the firm’s name.
  • Independence — the firm must be independent of your organization under the AICPA Code of Professional Conduct, in fact and in appearance, for the whole engagement and period covered.
  • Peer review — the firm must be enrolled in the AICPA peer-review program, under which another CPA firm periodically inspects its accounting and attestation practice.
  • Due professional care — planning, supervision, professional skepticism, and sufficient appropriate evidence behind the opinion, as the attestation standards require.

In practice, engagement teams blend CPAs — who own engagement acceptance, supervision, and the opinion — with IT-audit specialists holding CISA, CISSP, or cloud-security credentials, who perform much of the control testing. That blend is normal and desirable: testing access reviews across a modern cloud stack is specialist work. The line to hold is the signature, not the staffing: the opinion is rendered in the name of the licensed CPA firm, never an individual credential-holder. A CISA practicing alone cannot issue a SOC 2; a licensed CPA firm employing CISAs issues most of them.

Myth-Busting

There Is No SOC 2 Certification Body

If you come from the ISO world, the missing machinery is the giveaway. ISO/IEC 27001 runs on accredited certification bodies that issue certificates with registration numbers. SOC 2 has none of that apparatus: nobody “accredits SOC 2 auditors” — state boards license CPA firms, and the AICPA’s Code and peer-review program police quality. And the output is not a certificate but a long, detailed report containing management’s assertion, a description of your system, the auditor’s opinion and, in a Type 2, every control tested and every result.

  • There is no “SOC 2 certificate.” The deliverable is an examination report containing the CPA firm’s opinion — if a provider promises a certificate instead of a report, ask which standard it is issued under.
  • There is no accredited certification body for SOC 2 — no registrar, no certificate number, no official directory of “certified” companies to look yourself up in.
  • A non-CPA “certifier” cannot make a SOC 2 exist. A badge or seal with no CPA firm’s examination report behind it is not a SOC 2 in any form your customers’ auditors will recognize.
  • “SOC 2 certified” is loose marketing shorthand — what procurement teams and user auditors actually request is the report itself.

None of this requires assuming bad faith — many “SOC 2 certification” packages are genuine readiness services wearing a loose label. The test is a single question: which licensed CPA firm will issue the opinion, and under which standard? A credible provider answers in one sentence — a named firm, AT-C 205. If the answer is a badge, a portal, or a change of subject, you are buying preparation dressed up as an outcome that does not exist.

The Ecosystem

Consultants, Platforms, and the CPA Firm

Most SOC 2 journeys involve up to three kinds of provider, and most bad purchases happen when a buyer mistakes one role for another.

Readiness consultants do the preparation: gap assessment against the Trust Services Criteria, control design and remediation, policy drafting, evidence preparation, and project-managing the path to fieldwork. What they cannot do is examine their own preparation. Under the AICPA Code’s independence and nonattest-services rules, a firm that designs and implements your controls generally cannot then attest to those same controls where that impairs its independence — an auditor must never audit its own work. That rule is why the ecosystem splits into readiness on one side and independent examination on the other.

Compliance automation platforms — Vanta, Drata, Sprinto, Secureframe — are software: continuous evidence collection from your cloud stack, control monitoring, policy templates, task tracking. They compress readiness work that used to live in spreadsheets. But a platform is not an auditor either — the platforms are clear about this themselves, and each maintains a network of partner CPA firms who perform the actual examinations. Subscribing to a platform buys tooling, not an opinion.

The CPA firm is the examiner: it scopes the engagement, tests the controls, evaluates exceptions, and signs the opinion under AT-C 205. It is the only party in the chain whose signature makes the report a SOC 2.

Tranquility Cybersecurity sits deliberately on the readiness side of that line. Our SOC 2 services cover gap assessment, remediation, evidence preparation, and coordinating the examination through empanelled, independent licensed CPA firms — across 500+ audits delivered for clients in India, USA, UK, Australia & UAE, the opinion has always come from the CPA firm, never from us. That separation is what makes the finished report worth your customers’ reliance — the same reasoning behind the published criteria we disclose whenever we compare vendors.

Cross-Border

Can an Indian CA Firm Sign a SOC 2?

In India, the confusion has a specific local flavor. A startup closing its first US enterprise deal often assumes its statutory auditor — a chartered accountant firm registered with ICAI — can “add on” the SOC 2, or that the certification body behind its ISO 27001 certificate can audit it against the Trust Services Criteria too. Neither can. A SOC 2 examination lives under AICPA attestation standards, and the issuing firm must be licensed by a US state board of accountancy. An Indian CA firm or a UK chartered accountancy firm holds serious credentials — under a different regime. Unless the firm also holds a US CPA firm license (some global networks do, through member firms; many local firms do not), it cannot issue an AICPA SOC 2 report.

The cross-border reality: most non-US service organizations engage a US-licensed CPA firm that performs fieldwork remotely, usually alongside local readiness consultants who prepare evidence in the client’s timezone. Nothing about that weakens the report — the standards travel with the license, and the finished report reads identically whether the company operates from Bengaluru or Boston. The one extra step for a non-US buyer: confirm the US licensure explicitly — a local registration, however reputable, is not the license that matters here. Geography does not change the sequencing question either — Type 1 first or straight to Type 2 is a scoping conversation with the CPA firm, wherever you are.

Due Diligence

How to Verify the CPA Firm Signing Yours

Whether you are engaging an auditor or reviewing a vendor’s report, the same short verification pass applies:

  • Confirm state-board licensure. Every US state board of accountancy maintains a public register — check that the firm’s license is current and in good standing.
  • Ask about peer review. Enrollment in the AICPA peer-review program is required — ask when the last review was and what rating it received.
  • Ask who performs the fieldwork. Partner and manager involvement is a quality signal; an engagement fully outsourced to unnamed contractors points the other way.
  • Ask about volume and fit. How many SOC 2 examinations does the firm issue annually — and how many in your industry (SaaS, fintech, healthcare)?
  • Confirm the deliverable. The report should carry the firm’s opinion under AT-C 205 — not a “certificate,” a “seal,” or a letter of completion.
  • Watch the red flags. Fixed-price “certificates,” one-week SOC 2 examinations, and firms happy to design the very controls they will later test are all reasons to walk away.

Past the checklist, watch how the firm behaves before you sign. A good examiner opens with a real scoping dialogue — which Trust Services Criteria beyond Security belong in scope, where the system boundary sits, what the period should be — rather than quoting a flat price for an unexamined system. They set out sampling expectations and evidence formats before fieldwork, not during it. They talk plainly about exceptions — exceptions are a normal feature of Type 2 reports, and a firm that promises a clean report is describing its rubber stamp, not its rigor. And they are honest about timelines. One final norm: a readiness assessment before the examination is standard practice, not an admission of weakness — it is how you avoid paying examination rates to discover gaps a consultant would have flagged months earlier.

Who Can Audit SOC 2 — Common Questions

CPAs, consultants, platforms, and the independence line between them.

Can a non-CPA perform a SOC 2 audit?

No. A SOC 2 is an examination under the AICPA’s attestation standards (AT-C sections 105 and 205), and attestation may only be performed by a CPA firm licensed by a US state board of accountancy. Non-CPA specialists such as CISA- or CISSP-credentialed IT auditors routinely test controls on the engagement team, under the firm’s supervision. A report issued without a licensed CPA firm behind it is not a SOC 2, whatever it is called.

Can our consultant also be our auditor?

Generally no. Under the independence and nonattest-services rules of the AICPA Code of Professional Conduct, a firm that designed and implemented your controls cannot attest to those same controls where that impairs its independence — an auditor must not audit its own work. Tranquility Cybersecurity works on the readiness side and coordinates the examination through empanelled, independent licensed CPA firms; the opinion always comes from the CPA firm.

Can an Indian CA firm issue a SOC 2 report?

Not on the strength of its ICAI registration alone. SOC 2 is an AICPA attestation, so the issuing firm must be licensed by a US state board of accountancy. Some global networks include US-licensed member firms that can issue; most local CA firms cannot. The common arrangement for Indian service organizations is a US-licensed CPA firm performing the examination — usually remotely — supported by local readiness consultants.

Who signs a SOC 2 report?

Two signatures matter. Management of the service organization signs the assertion — its statement that the system description is accurate and the controls were suitably designed (and, in a Type 2, operating effectively). The CPA firm signs the opinion, in the firm’s name rather than any individual’s — a CISA or CISSP credential never signs an opinion; the licensed firm does.

Is there a SOC 2 certification body?

No. There is no accreditation scheme, no registrar, no certificate, and no central directory of “SOC 2 certified” companies. Quality control runs instead through state-board licensure, the AICPA Code, and the peer-review program. The deliverable is an examination report carrying the firm’s opinion — anyone offering a “SOC 2 certificate” without one is offering something that does not exist under AICPA standards.

What does a compliance platform like Vanta, Drata, or Sprinto do versus the auditor?

Platforms are tooling: continuous evidence collection from your cloud and SaaS stack, control monitoring, policy templates, and task tracking. They are not auditors — each maintains a partner network of independent CPA firms that perform the actual examinations. A platform subscription plus a readiness consultant still ends the same way: an independent licensed CPA firm examines your controls and issues the opinion.

Related reading: the Learn hub, What is SOC 2?, how to read a SOC 2 report, SOC 2 opinions & exceptions, CUECs & CSOCs, and SOC 2 services. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations