How do you verify your SOC 2 auditor is a real CPA?

TL;DR
  • A SOC 2 report is signed in the firm's name, but a firm is just a legal wrapper. It can be a shell, a mailbox, or a front for work done somewhere else.
  • What gives that signature meaning is the individual CPA who actually performs your audit and stands behind it. That is who you verify.
  • Two minutes on CPAverify.org confirms both the firm's registration and the individual's active license. Get the lead auditor's name in writing first.
  • Then ask the human question: how many audits like mine have you done? Experience is the one thing a shell cannot fake.

Verify the people, not the logo

A SOC 2 report is signed in the firm's name. Under the AICPA's attestation standards (SSAE 18, and within it AT-C sections 105 and 205, the rulebook a CPA follows to perform and report on an examination), only a licensed CPA firm can issue one. A compliance platform, the software you use to track controls and collect evidence, cannot. That part you have probably heard.

Here is the part that actually protects you. A firm is a legal wrapper. Anyone can register an entity, rent a virtual mailbox in a US city, and put "CPA firm" on a website. What cannot be faked the same way is the individual CPA who actually performs your audit and stands behind it. The firm's name is on the report, but the work and the judgment behind that signature belong to a real person. So do not stop at "the firm." Verify the people too: the licensed CPA who runs your engagement and represents the firm on your opinion (the audit and the CPA's formal conclusion about your controls), and the firm itself.

That distinction stopped being academic in 2026. A YC-backed compliance startup that had raised $32 million was reported to have produced 493 near-identical SOC 2 reports out of 494 examined, with the same paragraphs, the same grammatical errors, only the company name swapped. The work was reportedly routed through offshore operations fronted by US virtual mailboxes and shell entities while the marketing said "independent US CPA firms." Delve denied the allegations, which remain contested. I would take it as the pattern to learn, not the company to fixate on. The question is not "is there a PDF." It is "who are the people who actually did this work, and are they real."

You can answer that in about two minutes, before you ever sign an engagement letter (the contract that defines what the audit covers and what each side is responsible for).

Step 1: Get the name of the CPA who runs your audit

Before anything else, ask one question. Which individual CPA will lead and perform my audit, and which firm will issue the report? Get the firm's exact legal name and the state it is registered in, in writing.

A real firm answers this immediately. If a provider will not name the person doing the work, or routes you only to a dashboard and a support queue, that tells you something on its own. The opinion is the product. You are allowed to know whose work stands behind it.

Step 2: Verify the license, the person first

A CPA license belongs to a person. A firm needs its own separate registration with a state board to perform attest work, the formal examination behind a SOC 2. So you check two things, and you check the human one first.

The free national tool is CPAverify, run by NASBA (the National Association of State Boards of Accountancy). It pulls directly from the state boards.

  • Go to cpaverify.org. Use the CPA tab to look up the individual who will run your engagement, then the Firm tab for the firm that issues the report.
  • Search by name, license number, or state.
  • Confirm both read active, in the state the firm claims to operate from, with no disciplinary history.

If the individual's license does not check out, nothing else matters. The opinion would not be a valid SOC 2 no matter how polished the PDF.

Step 3: Ask what they have actually done

This is the step almost nobody takes, and it is the one that tells you whether you have an experienced auditor or someone simply assigned to your account. A SOC 2 is a specialist examination of security, IT, and governance controls, not generic accounting, and not every CPA is trained to do it. The license is the floor, not the proof.

So ask the human questions:

  • How many SOC 2 examinations have you personally led?
  • Have you audited companies that look like mine, on a stack like mine?
  • Who actually does the fieldwork, and where are they?

You are listening for specifics. An experienced auditor talks fluently about scoping (deciding which systems the audit covers) and sampling (picking which records to test) and the gaps they tend to find. Someone reading from a script does not. Experience is the one thing a shell entity cannot manufacture, and it is exactly what the cheapest audit channel attached to a platform tends not to give you. If you never meet the people whose work backs your report, you have no way to know which kind you got.

What about peer review?

You may read that you should check a firm's AICPA peer review. Peer review is real and worth knowing about. It is the audit of the auditor: every three years another CPA firm samples a firm's reports and the underlying evidence to confirm the work supports the opinions, and accepted reviews are posted in a public file.

One honest caveat, because it cuts both ways. Peer review runs on a multi-year cycle, and a brand-new firm enrolls but will not have an accepted review on file yet, simply because its first cycle has not come due. So treat peer review as a plus when it is present, not a disqualifier when it is absent. The signal that always applies is the one above. A named, licensed, experienced human who actually does the work and stands behind it.

The red flags I look for

Five years on the auditor's side teaches you the tells. None is conclusive on its own. Stacked together, they describe an audit that may not have done much testing.

Red flagWhat it usually means
No named individualNobody will tell you, in writing, which CPA actually performs and stands behind the work. A real auditor is happy to be named, because they are accountable for it.
Zero findings, everA real examination finds exceptions. A first-time report with nothing flagged usually means the testing did not happen.
Boilerplate testing languageSection IV, the part of the report that describes what was actually tested, reads identically to every other report: generic "inspected evidence" phrasing, nothing specific to your systems, your samples, or what was checked.
US address you cannot tie to a real officeA virtual mailbox out front, the fieldwork done somewhere else. The marketing says "US CPA firm"; the people doing the work are someone else.
No relevant experienceThe person leading it cannot point to SOC 2 work on companies like yours, or you spent the engagement teaching them your own stack.

The two-minute checklist

Run this before you pay anyone:

  1. Ask which individual CPA performs and leads your audit, and which firm issues the report. Get both in writing, with the state.
  2. Look up that individual on CPAverify (CPA tab). Active license, right state, no discipline?
  3. Look up the firm (Firm tab). Active firm registration in the same state?
  4. Ask what they have audited. SOC 2 experience on companies like yours, and who does the fieldwork.
  5. Ask to see a sample report and read Section IV. Does the testing language describe real procedures, or could it belong to any company?

Pass these and you are dealing with real people doing real work. The report is only ever worth as much as the auditors who actually did it, and that is something you can check before you ever pay.

For why a CPA is the right professional to run a security audit in the first place, see why a CPA audits your security. For why "compliant" is the wrong word for what you are buying, see the SOC 2 compliant myth.

Frequently asked questions

How do I check if a SOC 2 auditor is a real CPA?
Verify the individual CPA who will actually perform your audit, not just the firm. Get the lead auditor's name in writing, look them up on NASBA's CPAverify (app.cpaverify.org) to confirm an active individual license, and confirm the firm that issues the report is registered in the same state. Then ask how many SOC 2 audits they have actually led. The license is the floor; experience is the proof.
Does the individual CPA or the firm sign the SOC 2 report?
The report is issued and signed in the CPA firm's name, which is why you confirm the firm's registration. But the work, the judgment, and the accountability behind that signature belong to the individual CPA who leads the engagement. A firm is a legal wrapper, so verify the person doing the work as well as the firm.
Should I check my SOC 2 auditor's peer review?
You can, and it helps when it is present. Peer review is the audit of the auditor, posted in the AICPA's public file. But it runs on a multi-year cycle, so a brand-new firm may not have an accepted review on file yet. Treat it as a plus, not a disqualifier. The signal that always applies is a named, licensed, experienced CPA who actually performs the work.
What are red flags when choosing a SOC 2 auditor?
Watch for a provider that will not name the individual CPA who performs the work, a firm that never reports any findings, boilerplate Section IV language that could describe any company, and a US address you cannot tie to a real office while the work happens elsewhere. Those were the hallmarks of the 2026 Delve episode, in which a reported 493 of 494 reports were near-identical templates. Delve denied the allegations, which remain contested.
Is my SOC 2 report valid if the firm isn't a licensed CPA firm?
No. If the issuer is not a licensed CPA firm, the report is not a valid SOC 2 opinion under AICPA standards, and the customers relying on it cannot trust it. Before you sign, confirm both the firm's registration and the lead CPA's individual license on CPAverify. If either is missing, the report will not hold up.

Keep reading

Sources
  1. Only a licensed CPA firm can perform a SOC 2 examination and form the opinion; the practitioner has sole responsibility for it (AT-C 205).
  2. CPAverify is NASBA's free national database of licensed CPAs and CPA firms, populated directly by state boards of accountancy.
  3. CPAverify public search lets you look up both individual CPAs and firms by name, license number, and state.
  4. The AICPA Peer Review Public File lets anyone search firms and view enrollment status and accepted peer review documents.