SOC 2 audits can only be conducted by a licensed CPA firm or agency accredited by the American Institute of Certified Public Accountants (AICPA).
In addition, the auditor or auditing firm must be a completely independent CPA, which means they have no relationship with the service organization they’re auditing.
SOC auditors are required by the AICPA to:
- Comply with the AICPA’s professional standards
- Adhere to the latest guidance for planning, executing, and supervising audit procedures
- Undergo peer reviews that attest to their credentials and the validity of their audits
What does a SOC 2 auditor do?
SOC 2 compliance requires an external audit conducted by an information security auditor. These SOC 2 experts will evaluate how effective your security program is and determine whether your internal controls meet the requirements of your chosen Trust Services Criteria (TSC).
Depending on the period of time your report covers and whether you’re pursuing a SOC 2 Type 1 or a SOC 2 Type 2 report, your auditor will spend anywhere from a few weeks to a few months working with your team before producing a SOC 2 report.
They’ll likely start by asking key stakeholders questions about your company policies and processes, risk management approach, IT infrastructure, and security controls.
Next, the auditor will review evidence about your control environment. They use this documentation to better understand the design of controls and evaluate their operating effectiveness.
After the assessment, the auditor will create a detailed attestation report summarizing the results and the auditor’s final opinion. An unqualified opinion means your service organization is compliant with SOC 2 requirements.
The audit report covers the auditor’s findings, including a description of the audit scope, results of testing and a list of any cybersecurity issues they uncovered during the audit, and their recommendations for improvements or remediation requirements. It also includes a management assertion, which allows your organization to make claims (or “assertions”) about your own systems and controls.
Some auditing firms offer additional services to help you prepare, such as a gap analysis or SOC 2 readiness assessment. These can be particularly useful if you’re preparing for your first audit, since they give additional insights into whether your service organization’s controls and data security systems are where they need to be for a successful audit.
How to choose a CPA firm for your SOC 2 audit
Choosing an auditor is a crucial step in the AICPA SOC 2 audit process, yet companies often overlook it.
An auditor should have clear experience conducting SOC audits and should be able to point to examples of reports they’ve generated in the past. Ideally, they should have experience working with your specific type of service organization.
Most service organizations conduct interviews with several auditors before hiring one.
Just remember that you’re not only selecting an auditor based on their qualifications — you’re also choosing a person that you’ll be working with for anywhere from a few weeks to a year.
The best SOC 2 auditors are your partners in the compliance process.
It's important to make sure your personalities and priorities are compatible.
Here are a few tips to help you select a SOC 2 auditor: