SOC 2 auditor requirements: who is allowed to issue a report
A SOC 2 report can only be issued by a licensed CPA firm performing an attestation engagement under AICPA standards. Here is what that means for buyers vetting an auditor, and why your readiness platform or consultant cannot sign the report.
Only a licensed CPA firm can issue the report
A SOC 2 examination is an attestation engagement performed under the AICPA's professional standards, and only a licensed CPA firm is permitted to conduct it and sign the final report. The governing literature is the Statement on Standards for Attestation Engagements (SSAE 18), codified in the AT-C sections, with AT-C 105 setting the common requirements and AT-C 205 covering examination engagements. SSAE 18 itself is not a certification or a badge; it is the standard that dictates how the practitioner plans, performs, and reports on the engagement. Because the deliverable is a CPA's opinion expressing reasonable assurance, the firm must hold an active CPA license in the jurisdictions where it practices. No other type of entity, however technically capable, can produce a report that counts as a SOC 2.
Independence is the rule that surprises buyers most
AICPA standards require the practitioner to be independent in both fact and appearance from the organization being examined. The core principle is that a CPA cannot audit their own work: the auditor may not design controls, take on management responsibilities, or act as a decision-maker in the system under review and then turn around and opine on it. This is why the firm that runs your readiness assessment and writes your controls is generally barred from also issuing your report on those same controls. The AICPA has publicly reinforced independence expectations in the SOC space as the market has grown crowded with bundled offerings. A practical consequence is that buyers should treat readiness work and the audit itself as functions that often must be separated, even if a single firm offers both lines of service under careful safeguards.
Why platforms and consultants cannot sign your report
Compliance automation platforms collect evidence, map controls to the Trust Services Criteria, and streamline the workflow, but they are software companies, not CPA firms, so they cannot perform the examination or issue the opinion. The same applies to virtual CISOs, GRC consultants, and security boutiques that help you prepare; they can be enormously useful in readiness, yet the attestation must come from an independent licensed firm. Most automation vendors acknowledge this directly and instead partner with, or refer you to, a network of CPA firms that perform the actual audit. When a vendor's marketing blurs the line between getting you ready and getting you audited, that is a signal to ask exactly who will sign the report and what license they hold. The platform earns the badge for you operationally, but a CPA's signature is what makes the report real.
Professional standards and peer review behind the signature
Beyond licensure and independence, a SOC 2 auditor is bound by professional competence requirements, ethics rules, and a documented system of quality management at the firm level. As of December 15, 2025, firms operate under the AICPA's Statement on Quality Management Standards No. 1 (SQMS 1), which replaced the older quality control standard and moved firms to a risk-based approach for designing and monitoring quality. Firms that perform SOC 1 and SOC 2 engagements are also subject to the AICPA Peer Review Program, and SOC examinations are treated as must-select engagements during a firm's periodic System Review. That layered oversight, license plus quality management plus external peer review, is what gives a SOC 2 report its credibility with your customers and their procurement teams. It is also why a report from a properly enrolled firm carries weight that an internal assessment or a consultant's letter simply cannot.
How to vet an auditor before you engage
Start by confirming the firm holds an active CPA license and asking which licensed individual will sign your opinion. Ask whether the firm is enrolled in the AICPA Peer Review Program and when its most recent peer review was completed, since a clean, current review is a reasonable proxy for engagement quality. Probe independence directly: if a firm or its affiliate helped build your controls, clarify how it keeps the audit function separate, and be prepared to use a different firm for the examination if needed. Look for demonstrated experience with the Trust Services Criteria and with companies of your size and technology profile, not just generic attestation experience. Finally, treat unusually fast or unusually cheap offers with caution, because a defensible SOC 2 opinion requires real evidence testing that takes time and qualified people.