Q: Why do SOC reports have to be issued by a CPA firm?
A: MJD Answer
The simple answer is that SOC engagements are performed in accordance with standards set by the American Institute of Professional Accountants (AICPA). The attestation standards (SSAE 21) and the SOC 2 trust services criteria were created and codified by the AICPA and state that only a licensed CPA firm is able to perform the service.
The answer to why an accounting firm is responsible for conducting an engagement that generally has nothing to do with accounting is more nuanced. Before I address that question, I want to point out that the requirement for a CPA to issue a SOC report primarily extends to signing the audit report. This means that the audit team may consist of non-CPAs as well. We think having a well-rounded team composed of CPAs and non-CPAs is best for clients.
Back to the earlier question. CPAs have been amongst the most well-established and trusted professions in the world for decades. They have deep experience implementing professional standards and establishing industry oversight. While a non-CPA likely has the knowledge to perform a SOC examination and often is part of the engagement team, CPAs are uniquely positioned to successfully provide the service because of the rigorous certification process, ongoing training requirements, and knowledge of attestation standards.
- CPAs must pass the 4-part CPA exam that covers audit and attest services, IT auditing controls, and cybersecurity fundamentals, among other topics.
- CPAs must participate in continuing professional education (CPE) to maintain their license.
- CPAs are held to high standards. They follow rigorous performance and reporting standards and a code of conduct that requires independence, objectivity, and competence.
- CPA firms must document a thorough system of quality control and are subject to a peer review process and other oversight.
- CPAs are trained to audit internal controls and have a framework established for evaluating and reporting on the system subjected to examination.
It’s easy to say that a CPA has to perform a SOC exam because the AICPA created it, but, hopefully, understanding the rigor behind the CPA profession is helpful in understanding why CPAs must sign SOC reports.
The issuance of SOC reports is typically performed by certified public accounting (CPA) firms or audit firms with expertise in information systems and controls. These firms follow the standards set by the AICPA, such as the Statement on Standards for Attestation Engagements (SSAE) No. 18, to conduct the examinations and issue the SOC reports.
Software Secured shares exactly how penetration testing increases the ROI of your ISO 27001 compliance.
Interviewing auditors is a necessary step in the process as you begin your SOC exam. Here we outline some questions and considerations to help you along the way.
There is nuance to this question, and other well-meaning and very smart people that I respect might give a different answer. But within the volumes of literature that set the standards, the true answer is this: There are absolutely no control requirements for SOC 2 reports.