SOC 2 does not exist in a vacuum — it is governed end to end by the American Institute of Certified Public Accountants (AICPA). Understanding the AICPA's guidelines clarifies who is allowed to audit you, which professional standards your auditor must follow, where the Trust Services Criteria come from, and ultimately why a SOC 2 report carries weight with enterprise buyers around the world.
This guide explains the AICPA framework behind SOC 2 in practical terms: the standards that govern the engagement, the criteria your controls are measured against, the description requirements your system narrative must satisfy, and what all of this means when you choose an auditor and build your program.
Who the AICPA is and why it matters
The AICPA is the national professional body for Certified Public Accountants in the United States. It sets the auditing and attestation standards that CPA firms must follow, and it developed and maintains the entire System and Organization Controls (SOC) reporting framework. Because SOC 2 is an AICPA product delivered by licensed CPA firms under professional standards, the report functions as an independent, accountable assurance — not a self-assessment or a vendor badge.
The AICPA's role in SOC 2
The AICPA performs three jobs that shape every SOC 2 engagement. First, it defines the Trust Services Criteria — the outcomes your controls must achieve. Second, it publishes the attestation standards (notably SSAE 18) that govern how auditors plan, gather evidence, and form an opinion. Third, it sets the description criteria that determine what your system description must contain. Together these guidelines ensure consistency and rigor across firms, so a SOC 2 from one CPA firm means broadly the same thing as a SOC 2 from another.
Free resource
SOC 2 Readiness Kit
A practical checklist + policy starter pack to fast-track your audit.
SSAE 18: the attestation standard
SOC 2 examinations are performed under SSAE 18 (Statement on Standards for Attestation Engagements No. 18), the AICPA standard that consolidated and replaced earlier guidance such as SSAE 16. SSAE 18 governs how the auditor approaches the engagement: planning, assessing risk, obtaining sufficient appropriate evidence, evaluating the suitability of control design and operating effectiveness, and forming and expressing an opinion. One notable SSAE 18 requirement is that organizations formally assess the risks associated with their subservice organizations (for example, cloud providers), which is why vendor and subprocessor management is such a consistent focus in SOC 2.
The Trust Services Criteria
The technical heart of SOC 2 is the Trust Services Criteria, defined by the AICPA in TSP Section 100. There are five — Security, Availability, Processing Integrity, Confidentiality, and Privacy — and only Security (the Common Criteria, CC1 through CC9) is mandatory. The Common Criteria align with the COSO internal control framework, which is why SOC 2 covers governance, communication, risk assessment, monitoring, and control activities in addition to technical safeguards. Each criterion is accompanied by points of focus: illustrative considerations that help you and the auditor interpret it.
Description criteria (DC Section 200)
A SOC 2 report is not just a list of controls — it includes a system description, and the AICPA specifies, in the description criteria (DC Section 200), what that narrative must cover. This includes the services provided, the system's infrastructure, software, people, data, and processes, the principal commitments and system requirements, and how subservice organizations and complementary user-entity controls are handled. Management asserts that the description is accurate and presented in accordance with these description criteria, and the auditor evaluates that assertion.
The 2017 and 2022 updates
The AICPA refreshed the Trust Services Criteria in 2017 to align explicitly with the COSO framework's seventeen principles, and again in 2022 with revised points of focus that modernized guidance around areas like confidentiality and emerging technology. The criteria themselves were not overhauled in 2022 — the supporting points of focus were updated — so most mature programs need only minor mapping refreshes rather than a rebuild. Confirm your auditor tests against the current guidance.
Why only CPA firms can issue a SOC 2
Because SOC 2 is an AICPA attestation performed under professional standards, only a licensed CPA firm may conduct the examination and issue the report. Consultancies and compliance-automation vendors can help you prepare — and should — but they cannot sign the report. The CPA firm must also be independent of the work it audits: the team that builds or remediates your controls cannot also attest to them. This separation is precisely what gives the report its credibility with enterprise buyers.
SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity
Within the AICPA's SOC framework, SOC 1 addresses controls over financial reporting, SOC 2 addresses the Trust Services Criteria for a restricted audience, and SOC 3 is a public, general-use summary of a SOC 2. The AICPA also defines a SOC for Cybersecurity report for entity-wide cyber risk programs. Knowing where SOC 2 sits in this family helps you respond accurately when a customer asks for 'a SOC report' without specifying which.
What AICPA guidelines mean for your program
For practitioners, the AICPA framework translates into a few concrete imperatives: choose a licensed, independent CPA firm with genuine security experience; build a system description that satisfies the description criteria; map your controls to the current Trust Services Criteria and points of focus; and maintain evidence rigorous enough to withstand SSAE 18 testing. Get these right and your report will be recognized and trusted wherever your customers operate.
Common misconceptions about AICPA and SOC 2
Because the AICPA framework is often misunderstood, a few clarifications save teams from costly assumptions:
- SOC 2 is not a government regulation or a law - it is a voluntary, market-driven attestation defined by a professional body
- SOC 2 is not a certificate - the deliverable is an auditor's report and opinion, not a pass/fail badge
- The points of focus are not mandatory line items - they are interpretive guidance for meeting each criterion
- There is no single, universal SOC 2 control checklist - you select controls suited to your environment
- An automation platform or consultant cannot issue the report - only an independent licensed CPA firm can
Understanding these distinctions up front prevents over-scoping, mis-marketing your report, and choosing the wrong kind of provider for the actual attestation.
Where to find the official AICPA guidance
If you want to go to the primary source, the AICPA publishes the Trust Services Criteria in TSP Section 100, the description criteria in DC Section 200, and the attestation standard as SSAE 18, along with the points-of-focus guidance refreshed in 2022. You do not need to memorize these, but it is worth confirming that your auditor tests against the current versions - an engagement run against outdated criteria or points of focus can create avoidable friction and weaken how your report is received.
How ISpectra works within the AICPA framework
ISpectra prepares your program to AICPA standards — building a description that meets the description criteria, mapping controls to the current Trust Services Criteria, and assembling SSAE 18-ready evidence — then coordinates with an independent licensed CPA firm that issues the report. You get expert preparation and a credible, independent attestation, with the advisory and audit roles kept properly separate. These guidelines form the backbone of SOC 2 compliance.
Free consultation
Need help with SOC 2?
Talk to our certified compliance team — we’ve supported 200+ audits.