Cloud 101CircleEventsBlog
Join top cybersecurity experts at the Raleigh, NC LevelBlue's cyber networking event June 20th!

Why Do SOC Reports Have to Be Issued By a CPA Firm?

Why Do SOC Reports Have to Be Issued By a CPA Firm?

Blog Article Published: 04/08/2024

Originally published by MJD.

Written by Chris Giles, CPA, Senior Manager, MJD.


Q: Why do SOC reports have to be issued by a CPA firm?

A: MJD Answer

The simple answer is that SOC engagements are performed in accordance with standards set by the American Institute of Professional Accountants (AICPA). The attestation standards (SSAE 21) and the SOC 2 trust services criteria were created and codified by the AICPA and state that only a licensed CPA firm is able to perform the service.

The answer to why an accounting firm is responsible for conducting an engagement that generally has nothing to do with accounting is more nuanced. Before I address that question, I want to point out that the requirement for a CPA to issue a SOC report primarily extends to signing the audit report. This means that the audit team may consist of non-CPAs as well. We think having a well-rounded team composed of CPAs and non-CPAs is best for clients.

Back to the earlier question. CPAs have been amongst the most well-established and trusted professions in the world for decades. They have deep experience implementing professional standards and establishing industry oversight. While a non-CPA likely has the knowledge to perform a SOC examination and often is part of the engagement team, CPAs are uniquely positioned to successfully provide the service because of the rigorous certification process, ongoing training requirements, and knowledge of attestation standards.

  • CPAs must pass the 4-part CPA exam that covers audit and attest services, IT auditing controls, and cybersecurity fundamentals, among other topics.
  • CPAs must participate in continuing professional education (CPE) to maintain their license.
  • CPAs are held to high standards. They follow rigorous performance and reporting standards and a code of conduct that requires independence, objectivity, and competence.
  • CPA firms must document a thorough system of quality control and are subject to a peer review process and other oversight.
  • CPAs are trained to audit internal controls and have a framework established for evaluating and reporting on the system subjected to examination.

It’s easy to say that a CPA has to perform a SOC exam because the AICPA created it, but, hopefully, understanding the rigor behind the CPA profession is helpful in understanding why CPAs must sign SOC reports.

A: ChatGPT

The issuance of SOC reports is typically performed by certified public accounting (CPA) firms or audit firms with expertise in information systems and controls. These firms follow the standards set by the AICPA, such as the Statement on Standards for Attestation Engagements (SSAE) No. 18, to conduct the examinations and issue the SOC reports.

Share this content on your favorite social network today!