SOC 2 reports are the standard for demonstrating security maturity to enterprise buyers. But the firms issuing those reports are themselves subject to quality review. 

We scraped 24,041 AICPA peer review records, identified 261 confirmed SOC 2 audit firms, and cross-referenced their quality records to better understand how these firms are held accountable to upholding the highest standards of quality and integrity. Here’s what we learned.

What the AICPA peer review program is and why SOC 2 auditor credibility matters

SOC 2 (Service Organization Control 2) reports are attestation engagements that evaluate an organization's controls against the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. Only licensed CPA firms can issue SOC 2 reports. 

SOC 2 engagements are required to be examinations and are subject to a System Review. System Review is the more rigorous of the two peer review types. Unlike Engagement Reviews, System Reviews involve evaluating the firm's entire quality control system, not just individual engagements.

Enterprise buyers routinely require SOC 2 reports before signing contracts, making the auditor's credibility directly relevant to deal velocity, procurement decisions, and trust. 

A SOC 2 report is only as credible as the firm that issues it. If the auditing firm itself has quality control problems, the assurance it provides is weakened. Peer review is the mechanism designed to catch those problems, and the public record is the tool buyers can use to verify.

AICPA peer review search and the transparency gap

The AICPA maintains a public file search at peerreview.aicpa.org where anyone can search a CPA firm's review history. But what you find depends entirely on the firm's choices and enrollment status.

If a firm chooses to make its results public, you'll see the full picture: the rating (Pass, Pass with Deficiencies, or Fail), the acceptance letter, the peer review report, and any letter of response. This is the best-case scenario for transparency.

But firms can also choose to hide their results. In that case, all you'll see is the period covered by the review and the acceptance date. You will not know whether the firm passed, passed with deficiencies, or failed. 

This is a critical distinction: a hidden rating does not mean the firm passed. It means they chose not to tell you.

If a firm hasn't completed its first peer review yet, there will be no results at all, only whether the firm is enrolled. Under AICPA rules, a firm's initial review is ordinarily due 18 months from the date it enrolled in the program, or should have enrolled, whichever is earlier. Firms are expected to enroll by the report date of their initial engagement. During that window, the firm may be actively issuing SOC 2 reports with no quality review on record.

And if a firm doesn't appear in the search at all, they are not enrolled in the AICPA Peer Review Program. Since enrollment is required for all firms performing attestation work, including SOC 2, a missing listing should raise serious questions.

AICPA peer review results across 24,041 firms: The Overview

We pulled the full AICPA peer review public search file covering all 55 US states and territories. Of the 9,083 firms that chose to make their ratings public:

• 84.6% received a clean pass
• 10.3% passed with deficiencies
• 5.1% failed

13,087 firms in the database have completed reviews but hidden the results. Every one of these firms has an acceptance date on file, confirming a review was completed, but the rating is not disclosed.

Another 1,871 firms haven't completed a review at all. The public has no quality signal for the majority of firms in the system.

Among firms with visible ratings, the gap between enrolled and non-enrolled is stark. Enrolled firms fail at 3.6%. Non-enrolled firms fail at 11.3%, more than three times higher. The pandemic years of 2021 and 2022 saw fail rates spike to 9.3% and 12.0% before settling back to around 4%.

This is the landscape in which SOC 2 auditors operate. Every firm issuing a SOC 2 report is subject to these same requirements. The question is: how do they measure up?

AICPA peer review results across 261 SOC 2 firms: The full status breakdown

We identified 261 confirmed SOC 2 audit firms and categorized each based on their peer review visibility and outcomes: 

• whether they made their rating public (and what it was)
• whether they hid it
• whether their review has aged beyond the standard cycle
• whether they've never been reviewed at all

Of the 261 firms, 193 (73.9%) received a clean Pass and chose to make that result public. The remaining 68 firms fall into categories that warrant closer examination.

Finding 1: Thirty-one firms hide their results

Thirty-one firms (11.9%) have completed peer reviews but chosen not to disclose the results. The public can see only the review period and acceptance date, not the rating, not the report, not any findings. There is no way to know whether these firms passed, passed with deficiencies, or failed.

This is worth emphasizing: a hidden rating is not a proxy for a passing grade. It simply means the firm chose not to tell you. Peer review results are confidential by default under the AICPA standards.

Ratings are only made public if:

•  a firm joins a quality center (such as PCPS, EBPAQC, or GAQC)
• performs Yellow Book government audits, or 
• voluntarily opts in.

A hidden rating isn't automatically disqualifying, but it is a question that deserves a direct answer from the firm.

Finding 2: Seventeen firms have aging or overdue reviews

Seventeen firms (6.5%) in our dataset have reviews accepted more than three years ago and are approaching or past that due date. Some are only slightly past the three-year mark, likely with renewals in progress and still within the standard due date. Others are significantly past due. One firm's last review was accepted over thirteen years ago. Another is over six years past acceptance.

Subsequent peer reviews are ordinarily due three years and six months from the year-end of the previous review.

Firms that are past the due date without a completed review may face consequences from their administering entity, including potential termination from the program for failure to cooperate.

Finding 3: Nine firms have never been reviewed

Nine firms (3.4%) are enrolled in the AICPA Peer Review Program but have no rating or acceptance date on file, meaning they have never completed a peer review.

Under AICPA rules, a firm's initial review is ordinarily due 18 months from the date it enrolled in the program, or should have enrolled, whichever is earlier. Firms are expected to enroll by the report date of their initial attestation engagement. Some of these firms may still be within that window.

Regardless of timing, these firms are actively issuing SOC 2 reports, reports that enterprise buyers rely on to evaluate security posture, with no independent quality review on their own work.

Finding 4: Four firms failed while performing SOC 2 audits

Four firms (1.5%) failed their peer review. 

A Fail is the most severe peer review outcome. It means the peer reviewer concluded that the firm's system of quality control was not suitably designed to provide reasonable assurance of performing and reporting in conformity with applicable professional standards, or that the firm did not comply with its own system.

When a firm receives a Fail, the administering entity ordinarily requires corrective actions, which may include requiring the firm to complete additional continuing professional education, hiring an outside party to perform pre-issuance or post-issuance reviews of future engagements, or requiring the firm to join an applicable AICPA audit quality center.

Finding 5: Seven firms had deficiencies documented in their peer review reports

Seven additional firms (2.7%) passed with deficiencies, meaning the quality control system was generally sound but specific deficiencies were identified that could create a situation where the firm would have less than reasonable assurance of performing in conformity with standards. Corrective action was required.

Examples of deficiencies that may result in  “Pass with Deficiencies” rating include:

• Audit files not containing sufficient evidence to support the opinions issued
• Engagement quality reviews lacking true independence (partners reviewing each other’s work, for example)
• Internal inspections not performed by personnel with SOC 2 expertise

5 steps for evaluating a SOC 2 auditor

Peer review is a public, searchable record. Most buyers never check it. Here's what to do:

1. Search the firm at peerreview.aicpa.org. If nothing comes back, the firm may not be enrolled in the program it's required to participate in. Every firm performing SOC 2 attestations must be enrolled. A missing listing is a significant red flag.
2. Look for a public rating. If the firm has made its results public, read the report. Check whether SOC engagements were examined and whether any findings were noted. A Pass with Deficiencies or Fail warrants further conversation about what the firm has done to remediate.
3. If the rating is hidden, ask for it directly. A hidden rating does not mean the firm passed. It means they chose not to disclose. A firm confident in its quality program should be willing to share its results when asked.
4. If there's no review on file, ask where they are in the process. A firm's initial review is due 18 months from enrollment. A firm issuing SOC 2 reports with no peer review on record has no independent quality validation.
5. Check the acceptance date. Subsequent reviews are ordinarily due three years and six months from the previous review year-end. If the most recent review is past that window, ask whether a renewal is in progress. The AICPA can terminate a firm's enrollment for failure to complete reviews on time.

Holding the auditors accountable

SOC 2 auditors exist to give service organizations confidence that their vendors handle data responsibly. Peer review exists to give organizations confidence that their auditors meet professional standards. Both systems work, but only when buyers know to check.

In our analysis of 261 confirmed SOC 2 audit firms, we found that:

• 31 hide their results, and hidden does not mean passed.
• Seventeen have aging or overdue reviews.
• Nine have never been reviewed at all.
• And four have outright failed.

For an industry built on trust and transparency, those numbers deserve attention.

How Secureframe built our partner network

The peer review program exists for a reason. When firms participate fully and make their results public, it works. The gaps we found during our analysis (hidden ratings, overdue reviews, firms that have never been reviewed) aren't faults of the system. They're faults of how it's being used.

Secureframe acts as a compliance readiness platform, integrating with our customers' technology to streamline evidence collection, uncover gaps, and reduce the operational burden of getting audit-ready. Many of the organizations we work with have never undertaken a SOC 2 audit and are building their compliance program from the ground up. To set up customers for success, we can provide recommendations to consultants and SOC 2 auditors within our network.

When a customer asks us to recommend an auditor, we treat that as a trust decision, not a referral. Every firm in our partner network has passed our own due diligence review, including peer review verification, and has a demonstrated track record of excellence with our customers. Our customers choose their own independent CPA firm, either through our recommendations or their own research, and the audit result is based entirely on the strength of their security posture, controls, and evidence. 

To learn more about the Secureframe platform or partner network, reach out to partners@secureframe.com.