The Ultimate Manual To Who Can Perform SOC 2 Audits

Multi-nationals, enterprises, and B2B companies take data privacy and information security very seriously. This is why most organizations require technology service providers to be SOC 2 compliant.

If your company doesn’t meet the minimum SOC 2 compliance standards, you’ll find it hard to land high-profile B2B clients and service contracts.

To become SOC 2 compliant, your company needs to pass an audit by independent third-party auditors.

But what are the eligibility criteria for a SOC 2 auditor?

In this detailed guide, we’ll tell you exactly who can perform SOC 2 audits for your company and the other essential steps in this process.

Let’s dive in.

What is SOC 2 Anyway?

Service Organization Control 2 (SOC 2) is a technical audit and certification developed by the American Institute of CPAs (AICPA) as a part of its Service Organization Control reporting platform.

It measures the overall data security and handling standards of technology service providers that store customer data in the cloud. SOC 2 certification signifies that a company is handling, processing, storing, managing, and controlling customer data in a fully secure manner.

SOC 2 is now a necessary certification for SaaS companies and other technology companies to prove that their data security standards align with expectations.

The clientele of enterprise-level B2B organizations now uses SOC 2 audit reports to assess businesses, verify a third-party vendor’s data management processes, and weed out lower-quality providers when shopping for services.

SOC 2 compliant service providers ensure security, availability, processing integrity, confidentiality, and customer data privacy. Organizations working with such companies are safe from data theft, unauthorized access, extortion, malware installation, or any other kind of data manipulation.

Who Can Perform SOC 2 Audits?

The American Institute of CPAs (AICPA) designed the SOC 1 and SOC 2 certifications in 2010 to help organizations protect their data by allowing them to work with only certified service providers.

To maintain SOC 2 certification standards, AICPA only allows its Certified Public Accountants (CPAs) and audit firms to conduct SOC 2 certification audits. Any audits by firms that AICPA disapproves (or has not approved) are not acceptable and cannot qualify a company for a SOC 2 certification.

To get more clarity on who can perform SOC 2 audits, let’s understand the key stakeholders involved in the process.

AICPA

The American Institute of Certified Public Accounts (AICPA) is the world’s largest member association of professional accounts and has been operational since 1887.

The AICPA has more than 430,000 registered members in 130+ countries across the globe representing many areas of practice, including business and industry, public practice, government, education, and consulting.

AICPA is the primary body that governs various audits and certifications of services provided by CPAs. SOC 1 and SOC 2 are among their top compliance audits.

AICPA is also responsible for the education and certification of CPA professionals and has a rigorous process to test professionals’ skills and upgrade their expertise according to the industry needs.

Independent SOC 2 Auditors

SOC 2 compliance audits can only be performed by Certified Public Accountants (CPAs) and audit firms commissioned by the AICPA.

All CPAs are accountants, but not all accountants are CPAs, which is why you cannot hire a regular accountant to conduct your SOC 2 audit.

Plus, a CPA needs to specialize in information security audits to perform SOC 2 compliance audits. Conventional CPAs specializing in finance without significant experience in information security lack the necessary expertise to conduct SOC 2 audits.

The auditor also needs to be completely independent and unbiased. This means the auditor cannot have any direct or indirect stake in your company’s business and should not be related to any of the key decision-makers on the company’s board.

The AICPA has a rigorous certification process to ensure that CPAs are uniquely qualified. The requirements for a professional CPA include completing 150 semester hours of education, passing all four parts in 16 hours of the certification exams, and one to two years of relevant work experience. The successful candidates need to complete 40 hours of professional education during the license period. Several states have additional CPA license requirements on top of the standard criteria devised by AICPA.

Once a candidate passes the certification exam and completes the requirements for the license, they’re awarded the CPA license. However, for the CPA license to stay active, recipients must complete a specific number of Continuing Professional Education hours (CPE) every one to three years.

Maintaining these standards ensures that successful candidates have sufficient expertise to conduct SOC 2 compliance audits and understand the standards devised by AICPA for auditors.

Internal Stakeholders

Since the SOC 2 audit involves a thorough analysis and review of your information security and data management practices, the independent CPA auditors need to work closely with several internal stakeholders from your company.

These stakeholders mainly include your information security manager, the top executives from the information technology department, server management professionals, in-house legal experts, process documentation teams, and various customer-facing roles.

The auditors may involve your company’s CTO, CEO, and CFO in the process as well if needed.

All these internal stakeholders will assist the independent auditors in navigating the company’s policies, reviewing its processes, and practically evaluating the security procedures in place when handling customer data.

Software Automation For SOC 2 Audits

Independent CPAs perform SOC 2 audits. However, the auditors need several reports and documents in specific formats from a company to evaluate its systems and develop a final audit report.

Most organizations create these reports and documents at the last moment before the audit takes place by asking the relevant internal stakeholders.

However, you can automate much of this process using SOC 2 audit software to gather all the relevant information from your records and create reports in the recommended format for the auditors to use during the audit process.

Automating this part of your compliance audit speeds up the whole process and reduces manual interference in the documentation, making it more transparent and efficient.

There are plenty of SOC 2 audit and compliance software options to choose from, depending on your business needs.

How SOC 2 Audits Work

Now that you understand precisely who performs SOC 2 audits and the various stakeholders involved, let’s now explore how the audit process works.

There are two types of SOC 2 audit reports.

Type 1: This is often an organization’s first SOC 2 audit report and gives the readers a snapshot of a company’s data security and information handling practices at the time of the audit.

Type 2: This report discusses the effectiveness of your data management, privacy, and security practices put in place since your company’s last SOC 2 audit. Since SOC 2 audits need to be conducted every year to renew the certification, type 2 reports are published annually.

What exactly does a SOC 2 audit report include? Here are the main contents of a typical audit report:

  • An opinion letter from the auditor on the overall compliance standards of the company and the experience during the audit process.
  • Management assertion, which is the version of a company’s management about its systems, processes, practices, and standards.
  • An in-depth review of the company’s core business, the value they offer to clients, and how customer data flows through different segments of the company.
  • Details of the selected trust services categories.
  • The tests conducted during the audit, their results, and compliance levels.
  • Any additional information about the audit process or the company’s data management practices.

SOC 2 Audit Trust Principles

SOC 2 audit processes are based on five core trust principles that apply to most tech service companies.

Let’s discuss these principles in more detail.

Security

This principle states that a SOC 2 compliant organization must ensure complete security of customer data from unauthorized access, theft, manipulation, alteration, destruction, or any other change from its original form.

An auditor must evaluate whether a company has applied access controls and user rights management to satisfy this principle. This could include steps such as data encryption and two-factor authentication to ensure data security.

Availability

This principle requires that a SOC 2 compliant service provider ensures service availability and accessibility to its users at all times.

An auditor must evaluate whether a company has a service level agreement (SLA) that clearly outlines the timelines on the product’s availability, system, and data stored with the service provider.

To ensure that system availability is up to the level agreed in the SLA, SOC 2 compliant service providers must set up a performance monitoring mechanism that alerts the system admin in case of any deviation from the agreed service level.

Additionally, service providers should have a disaster recovery plan and a security handling mechanism to deal with any possible threats to the system.

Processing Integrity

This principle states that a SOC 2 compliant service provider should ensure that the system achieves its purpose by servicing the correct data, in a complete form, at the right time.

A SOC 2 auditor should evaluate whether the data is always complete, valid, accurate, timely, and authorized.

Confidentiality

The confidentiality principle requires that SOC 2 compliant service providers ensure the complete security and confidentiality of sensitive data.

Auditors should evaluate whether the service providers use data encryption and network and application firewalls to ensure confidentiality. Organizations must also maintain high-level access controls to safeguard confidential data from unauthorized access and unwanted exposure.

Privacy

The privacy principle requires that SOC 2 compliant service providers develop a mechanism that addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with an organization’s privacy notice and the criteria determined by AICPA.

This also includes protecting sensitive personal data related to health, race, sexuality, and religion.

Based on these principles, AICPA-licensed SOC 2 auditors evaluate and assess organizations to determine whether they comply with the certification guidelines or not.

How to Become Qualified to Perform SOC 2 Audits

As we’ve already discussed, only AICPA licensed CPAs can conduct SOC 2 audits that are acceptable worldwide.

So how do you become a licensed CPA?

To help applicants understand the licensing process, AICPA has divided it into three segments: Education, examination, and experience.

Let’s explore the steps involved in each segment.

Education

To become an AICPA-approved SOC 2 auditor, applicants must complete 150 semester hours to prove academic qualification.

Some states require more hours, so it’s recommended to check with the AICPA chapter in your state for clarification.

If you’ve already completed the required hours, you can simply show the official academic transcripts and any other documents that AICPA requires.

Examination

Once you satisfy the education requirements, you need to clear the Uniform CPA Exam. AICPA manages this examination, and its content is the same no matter which state you’re attempting it from.

It consists of four sections, and each section is a separate exam:

  • Auditing and Attestation (AUD)
  • Business Environment and Concepts (BEC)
  • Financial Accounting and Reporting (FAR)
  • Regulation (REG)

Each section includes multiple-choice questions, simulations, and written communication.

The passing score for each test is 75, while the highest possible score is 99.

Experience

Once you pass the exam, practical experience is the only requirement left to become a licensed SOC 2 auditor.

AICPA requires that you work one to two years (varies in states) under a licensed CPA. If you already have this experience, you only need to prove it through an official experience letter.

After satisfying all requirements, you’ll apply for an AICPA license to become an official CPA and a SOC 2 auditor.

Once you become a licensed CPA, you have a couple of conditions to maintain your license:

  • Complete at least 40 hours of continuing professional education (in-house or online) from an AICPA-approved body. These can include conferences, courses, trainings, and more.
  • Apply for renewal after the end of your license period.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira