What is a SOC 2 auditor?

SOC 2 audits can only be conducted by a licensed CPA firm or agency accredited by the American Institute of Certified Public Accountants (AICPA).

A SOC 2 auditor evaluates how effective your security program is and determine whether your internal controls meet the requirements of your chosen Trust Services Criteria (TSC). 

Depending on the period of time your report covers and whether you’re pursuing a SOC 2 Type 1 or a SOC 2 Type 2 report, your auditor will spend anywhere from a few weeks to a few months working with your team before producing a SOC 2 report.

This audit report covers the auditor’s findings, including a description of the audit scope, results of testing and a list of any cybersecurity issues they uncovered during the audit, and their recommendations for improvements or remediation requirements. It also includes a management assertion, which allows your organization to make claims (or “assertions”) about your own systems and controls.