A common surprise for first-time teams is that not just anyone can perform a SOC 2 audit. The examination must be conducted by a licensed CPA firm, and that requirement is precisely what gives the resulting report its credibility with enterprise buyers. Understanding who can and cannot perform the audit - and why independence matters - prevents costly missteps in choosing a provider.
This guide explains who performs a SOC 2 audit, the role of the AICPA, why independence is mandatory, and how preparation and attestation are split between different parties.
Only licensed CPA firms
SOC 2 is an attestation governed by the AICPA's professional standards, so only a licensed CPA firm - or an individual CPA - may perform the examination and issue the report. This is not a formality: the CPA license, and the professional standards and oversight that come with it, are what allow the report to function as independent, accountable assurance. Consultancies, compliance-automation vendors, and internal teams can all help you prepare, but none of them can sign the report. When evaluating providers, the first thing to confirm is that the firm issuing the opinion is a licensed CPA firm.
The AICPA's role
The American Institute of Certified Public Accountants defines the Trust Services Criteria and the attestation standard (SSAE 18) under which CPA firms perform SOC examinations. The AICPA does not perform audits itself; it sets the framework and standards, and licensed CPA firms apply them. This is why a SOC 2 from one reputable CPA firm means broadly the same thing as one from another - they are all working to the same AICPA standards - and why the report is recognized by buyers worldwide.
Free resource
SOC 2 Readiness Kit
A practical checklist + policy starter pack to fast-track your audit.
Why independence is required
Independence is the cornerstone of the entire model. The CPA firm must be independent of the work it audits, which means the people who design, build, or remediate your controls cannot also be the people who attest to them. If the same party did both, the opinion would be self-referential and would carry no weight. This requirement is exactly why the report is trusted: a neutral third party with no stake in the outcome has examined your environment and put its professional name on the conclusion.
Who cannot issue the report
It is worth being explicit about who cannot sign a SOC 2 report, because the market can be confusing. A compliance-automation platform cannot issue your report, though it can collect evidence and connect you to auditors. A security consultancy cannot issue it, though it can prepare your program. Your internal security or compliance team cannot issue it, no matter how capable. Only the independent licensed CPA firm performs the attestation - everyone else supports the process around it.
What to verify about a firm
When selecting the firm that will perform your audit, verify three things together: that it holds a valid CPA license and is accredited to perform SOC examinations; that it has genuine information-security experience rather than only general accounting; and that it has performed SOC 2 engagements for companies like yours. These three in combination predict both a credible report and a smooth engagement. A firm strong on licensing but weak on security depth can still make the experience painful, so all three matter.
Preparation versus attestation
The work of getting SOC 2-ready and the work of attesting to it are deliberately separate. Preparation - scoping, building controls, writing policies, organizing evidence, running a readiness assessment - can be done internally or with an advisor. Attestation - testing the controls and issuing the opinion - is done by the independent CPA firm. Keeping these roles with different parties is what preserves independence, which is why a common and recommended model is an advisory partner for preparation plus a separate CPA firm for the audit. Knowing who can sign off is an important detail when planning SOC 2 compliance.
Can one firm do everything?
A frequent question is whether a single provider can both prepare you and audit you. The answer is no, not for the same engagement, because it would violate the independence requirement. Some larger firms maintain separate teams and strict internal barriers, but the cleaner and more defensible approach is to use distinct organizations: one to get you ready and one to attest. This avoids any appearance of a conflict and keeps your report unimpeachable.
How buyers think about your auditor
Enterprise buyers do pay attention to who performed your audit. They expect a licensed CPA firm and generally look for one with credible security experience; an unknown or clearly unqualified firm can prompt extra scrutiny. While you do not need the largest or most expensive firm, choosing a reputable, security-literate CPA firm signals that you took the examination seriously, which smooths the buyer's review of your report.
What 'independent' means in practice
Independence is easy to state but worth making concrete. In practice it means the people who scope your program, build or remediate your controls, write your policies, and organize your evidence are not the same people who test those controls and sign the opinion. The auditor must be able to look at your environment with no stake in the conclusion. This is why a provider that offers to both get you ready and audit you for the same engagement creates a problem: their opinion on work they performed themselves is not independent, and a sophisticated buyer - or the profession's own standards - will not regard it as credible.
How to verify a firm's credentials
Verifying an audit firm is straightforward once you know what to check. Confirm that the firm holds a valid CPA license in good standing and is accredited to perform SOC examinations. Ask how many SOC 2 engagements they perform annually and request references from companies similar to yours. Probe the security background of the specific people who will run your engagement, not just the firm's overall reputation. Together these checks confirm both that the firm can legally issue your report and that it has the practical competence to make the engagement credible and smooth.
What buyers verify about your auditor
Enterprise buyers reviewing your SOC 2 do look at who performed it. They expect to see a licensed CPA firm, and they generally prefer one with credible information-security experience; an unknown or clearly unqualified firm can trigger additional scrutiny or questions. You do not need the largest or most expensive firm to satisfy this - a reputable, security-literate CPA firm is enough - but choosing your auditor with the buyer's eventual review in mind signals that you took the examination seriously, which smooths their assessment and reflects well on the rigor of your program.
How ISpectra fits in
ISpectra serves as your preparation and program partner - scoping, building controls, automating evidence, and running readiness - and coordinates a separate, independent licensed CPA firm to perform the attestation and issue your report. This preserves the independence the standard requires while giving you expert help, and it is how we keep engagements fast and affordable, with a Type 1 within two months and a Type 2 within four.
Free consultation
Need help with SOC 2?
Talk to our certified compliance team — we’ve supported 200+ audits.