SOC 2 audits must be performed by an independent Certified Public Accountant (CPA) or a CPA firm. The AICPA (American Institute of Certified Public Accountants) sets the professional standards and guidelines that these auditors must follow. While many ‘security automation’ software companies help you prepare for the audit and collect evidence, they cannot issue the final report themselves. Only a licensed CPA firm has the authority to sign off on the audit. This ensures that the person checking your security is bound by professional ethics and a standard of independence, providing the high level of trust that makes a SOC 2 report valuable to outside observers.
