SOC 2 Guide

How do you verify your SOC 2 auditor is a real CPA?

Yuanlun Yin, CPA · Texas & California · Y Assurance PLLC · Updated June 3, 2026

Verify any SOC 2 auditor in two steps. First, confirm the CPA firm license through your state board of accountancy or the free national lookup at CPAverify.org. Second, check the firm's AICPA peer review status in the public file at peerreview.aicpa.org. No firm license and no peer review on file means walk.

Why this matters more than the logo on the report

A SOC 2 report is not a certificate. It's an attestation opinion, and under AICPA standards (SSAE 18, AT-C sections 105 and 205) the only entity that can issue one is a licensed CPA firm. A compliance platform cannot. Their own legal structure stops them at the wall. The platform helps you collect evidence and stay organized. The signature has to come from a CPA who is independent of you and licensed to attest.

That distinction stopped being academic in March 2026. A YC-backed compliance startup that had raised $32 million was found to have produced 493 near-identical SOC 2 reports out of 494 examined, with the same paragraphs, the same grammatical errors, only the company name swapped. The work was traced to offshore operations fronted by US virtual mailboxes and shell entities, while the marketing said "independent US CPA firms." That is the pattern to learn. Not "is there a PDF," but "who actually signed it, and are they real."

You can answer that in about two minutes, before you ever sign an engagement letter.

Step 1: Verify the CPA firm license

A CPA license belongs to a person. But a firm needs its own separate firm registration with the state board of accountancy to perform attest work like SOC 2. So you are checking two things: that the engagement firm holds a current firm license, and that the CPA whose name will be on the opinion holds an active individual license.

The free national tool is CPAverify, run by NASBA (the National Association of State Boards of Accountancy). It pulls directly from the state boards and covers individuals and firms across participating jurisdictions.

Go to cpaverify.org. Use the Firm tab to look up the engagement entity, and the CPA tab to look up the individual.
Search by name, license number, or state.
Confirm the status reads active, in the state the firm claims to operate from, and check for any disciplinary history.

If a firm won't tell you its exact legal name and the state it's registered in, that's your answer. Ask which state board licenses them, then verify it yourself. Don't take the website's word.

Step 2: Check AICPA peer review

Here's the part most buyers don't know to look for, and it's the one a real auditor checks first. Every firm that performs SOC 2 examinations is required to undergo an external peer review every three years. Another CPA firm pulls a sample of their reports plus the underlying evidence and confirms the work actually supports the opinion. It is, literally, the audit of the auditor.

The results live in a public file.

Go to the AICPA Peer Review Public File at peerreview.aicpa.org/public_file_search.html.
Search by firm name, firm number, city, or state.
You want to see an accepted peer review with a pass rating, recent enough to be current (within the last three years).

If a firm that signs SOC 2 reports has nothing on file, ask why directly. There are legitimate edge cases around enrollment timing for a brand-new firm. There is no legitimate version of "we sign SOC 2 opinions and we've never been peer reviewed and we'd rather not talk about it."

The red flags I look for

Five years on the auditor's side teaches you the tells. None of these is conclusive alone. Stacked together, they describe a stamp audit.

Red flag	What it usually means
Zero findings, ever	A real examination finds exceptions. 493 of 494 clean reports is not quality, it's a template. If your auditor never found anything, the testing didn't happen.
US address you can't tie to a real office	Virtual mailbox out front, work executed offshore. The marketing says "US CPA firm"; the actual fieldwork doesn't.
No peer review on file	The single fastest disqualifier. The auditor of the auditor never showed up.
Boilerplate testing language	Section IV reads identically to every other report, with generic "inspected evidence" phrasing and no specifics about your systems, your sample sizes, or what was actually tested.
No named engagement CPA	Nobody will put their individual license number next to the opinion. A real CPA signs their name because they're accountable for it.

A clean SOC 2 PDF is easy to produce. Verifiable testing behind it is not. The report is supposed to be the receipt for work that happened, not the product itself.

The two-minute checklist

Run this before you pay anyone:

Get the firm's exact legal name and the state it's registered in. In writing.
Look it up on CPAverify (Firm tab). Status active? Firm license present?
Look up the individual CPA who will sign (CPA tab). Active license, same state, no discipline?
Search the firm on the AICPA Peer Review Public File. Accepted review, pass rating, within three years?
Ask to see a sample report and read Section IV. Does the testing language describe real procedures, or could it belong to any company?

Pass all five and you're dealing with a genuine CPA firm doing genuine work. Fail step 2 or step 3, and the report they issue isn't a valid SOC 2 opinion at all. Fail step 4, and you're trusting a firm nobody has ever checked.

For what a real engagement should cost, see the pricing calculator on chiarohq.com or book a call for a number on your scope.

“A clean SOC 2 PDF is easy to produce. The verifiable testing behind it is not. The report is the receipt for work that happened, not the product itself.”

Frequently asked questions

How do I check if a SOC 2 auditor is a real CPA?

Use two free public tools. Look up the firm and the signing CPA on NASBA's CPAverify (app.cpaverify.org) to confirm active firm and individual licenses with your state board of accountancy. Then check the AICPA Peer Review Public File (peerreview.aicpa.org) to confirm the firm has a recent, accepted peer review. Both checks take about two minutes.

Can a non-CPA company issue a SOC 2 report?

No. Under AICPA standards (SSAE 18, AT-C 105 and 205), a SOC 2 examination opinion can only be issued by a licensed CPA firm. Compliance platforms like Vanta or Drata help you collect evidence and stay organized, but they legally cannot sign the report. The signature has to come from an independent CPA firm.

What is auditor peer review?

Peer review is the audit of the auditor. Every CPA firm that performs SOC 2 examinations must undergo an external review roughly every three years, where another CPA firm samples its reports and the underlying evidence to confirm the work supports the opinions. Results are posted in the AICPA's public file, so anyone can check a firm's status before hiring it.

What are red flags when choosing a SOC 2 auditor?

Watch for a firm that never reports any findings, a US address that can't be tied to a real office while work happens offshore, no peer review on file, boilerplate testing language that could describe any company, and no named CPA willing to sign the opinion. Those were the hallmarks of the 2026 Delve scandal, where 493 of 494 reports were near-identical templates.

Is my SOC 2 report valid if the firm isn't a licensed CPA firm?

No. If the issuer is not a licensed CPA firm, the report is not a valid SOC 2 opinion under AICPA standards, and the enterprise customers relying on it cannot trust its contents. Before signing an engagement, verify the firm's license on CPAverify and its peer review status with the AICPA. If either is missing, the resulting report won't hold up.

Keep reading

Want a SOC 2 that actually holds up?

Get a fixed price in two minutes, or talk to the CPA who would run your engagement.

See pricing →Book a call →