AICPA peer review explained: why it matters for SOC 2 quality
The AICPA Peer Review Program is the external check on whether a CPA firm actually meets professional standards. For SOC 2 buyers, a firm's peer review status is one of the clearest signals of audit quality.
What the AICPA Peer Review Program is
The AICPA Peer Review Program is a mandatory, periodic external review of a CPA firm's accounting and auditing practice, designed to confirm that the firm performs and reports in conformity with professional standards. A firm enrolled in the program is generally reviewed once every three years by an independent reviewer who is not affiliated with the firm. The review answers a simple but important question that clients rarely get to ask directly: does this firm's work actually hold up when someone qualified inspects it? Enrollment is commonly tied to AICPA membership and to state board licensing requirements, so for most firms doing attest work it is not optional. The program is the profession's primary mechanism for catching quality problems before they undermine the reports clients rely on.
System Reviews, Engagement Reviews, and where SOC fits
There are two main types of peer review. An Engagement Review applies to firms that only perform lower-risk services such as compilations and reviews and focuses on selected reports and documentation. A System Review is the more rigorous one, required for firms that perform audits and attestation engagements, and it evaluates the firm's entire system of quality management as well as a sample of actual engagements. Critically, SOC 1 and SOC 2 examinations are must-select engagements in a System Review, meaning a peer reviewer is expected to pull and test SOC work specifically rather than leaving it to chance. So if a firm performs SOC 2 examinations, its peer review should be a System Review that includes scrutiny of those engagements. That makes peer review status especially meaningful for SOC 2 buyers, because the program targets exactly the kind of work you are buying.
How quality management standards raised the bar
Peer review does not stand alone; it sits on top of the quality framework each firm must maintain. As of December 15, 2025, firms are required to comply with the AICPA's Statement on Quality Management Standards No. 1 (SQMS 1), which replaced the older quality control standard and shifted firms from a rules-based checklist to a risk-based approach for identifying and responding to quality risks. Firms must now document their system of quality management, and that documentation feeds directly into peer review, since reviewers use it to assess whether the firm actually complies with the standards in practice. Related standards address engagement quality reviews and quality management at the individual engagement level. For a SOC 2 buyer, the takeaway is that a firm completing peer review under these newer standards is being held to a more deliberate, risk-aware quality bar than in years past.
What a peer review outcome actually tells you
A System Review concludes with a rating, and understanding the rating helps you interpret it. A pass rating indicates the reviewer found the firm's system of quality management suitably designed and operating effectively, providing reasonable assurance of compliance with professional standards. A pass with deficiencies or a fail rating signals that the reviewer identified one or more weaknesses, which the firm is then expected to remediate, sometimes under follow-up monitoring. A peer review is not a guarantee that every individual report is flawless, and it covers a specific period rather than today's engagement, so it is a strong indicator rather than an absolute warranty. Still, a clean, recent peer review from a firm that performs SOC engagements is meaningful evidence that its SOC 2 work has been independently examined and held up.
How to ask a firm about its peer review
When you are vetting a SOC 2 auditor, asking about peer review is fair, expected, and a quick way to separate serious firms from the rest. Ask whether the firm is enrolled in the AICPA Peer Review Program, when its most recent review was completed, and what the result was; reputable firms will answer without hesitation and can often provide the acceptance letter. Confirm that the review was a System Review and that SOC engagements fell within its scope, since that is what is relevant to your report. You can also ask how the firm maintains its system of quality management under SQMS 1 and who performs engagement quality reviews internally. If a firm is evasive about peer review, cannot point to a recent result, or is not subject to a System Review despite selling SOC 2 examinations, treat that as a reason to look elsewhere.