Who actually signs your SOC 2 report?

The signature line is the whole thing

A SOC 2 report is not a certificate, a badge, or a dashboard. It's an opinion. A licensed CPA examined your controls and wrote down, in their own professional judgment, whether those controls were designed and operating the way you say they are. Their name goes on it. Their license backs it.

That work runs under AICPA attestation standards. SSAE 18, and within it AT-C section 105 and AT-C section 205. Read AT-C 205 and one line settles the question of who owns the report. The practitioner "has sole responsibility for the opinion expressed." Not the tool. Not the platform. The CPA.

So here's the question most founders never ask. You're about to hand a report to an enterprise customer that decides whether they trust you. Whose name is on it? If you can't answer that fast, you don't actually know what you bought.

What the platform does, and what it can't

I want to be fair to the compliance platforms here, because they solved a real problem.

Before they existed, getting your evidence ready for an audit was a mess of spreadsheets and screenshots and frantic Slack threads. The platforms cleaned that up. They connect to your AWS, your identity provider, your ticketing system, and they pull evidence automatically. They map it to controls. They tell you what's missing. For a lot of teams that genuinely shrank the painful part.

That's the evidence-organizing layer. It's useful. It is not an audit.

A compliance platform is a software company. It is not a CPA firm, and it cannot become one by writing software. The platforms know this, which is why they don't sign your report. They refer you to a CPA firm to do that part. The subscription and the audit are two separate things. One organizes your evidence. The other is a licensed professional forming an independent opinion and putting their name on it.

The practical upshot is one most people miss: you can be audited without renting a platform forever. The platform is optional. The CPA is not.

The buried auditor

Here's the part of the model that bothers me.

On the platform path, a founder can go through almost the entire process talking to software. You log into a dashboard. You connect integrations. You watch a progress bar. You upload a few documents. And then, near the end, an auditor you've barely met issues an opinion that the entire thing rests on.

The validity of your report comes from that person. The license, the independence, the professional judgment, the accountability. All of it lives with the CPA. But the experience is built so that the CPA is the one piece you interact with least.

I'm not saying anyone is doing anything wrong. I'm saying the structure makes it easy to never really meet the person whose license backs your report. And if you never meet them, you should ask a simple question. What did they actually look at?

In my fieldwork, the testing is the job. I pull samples. I trace access changes to tickets. I look at what happened, not just what the policy says. A report that comes out of real testing reads differently from one that came out of a template. If your auditor is mostly a name that appears at the end, you have no way to tell which one you got.

What to do about it

You don't need to be an auditor to protect yourself. You need two minutes and a name.

Get the name. Ask which CPA firm performs the examination and which individual CPA signs the opinion. Get the exact legal name of the firm and the state it's registered in, in writing. A real firm answers this without flinching.

Verify the license. A CPA license is public. Look up the firm and the signing individual on NASBA's CPAverify at cpaverify.org. It pulls straight from the state boards. You're confirming an active firm license and an active individual license, in the state they claim.

Check peer review. This is the one buyers don't know to do, and it's the one I'd check first. Every firm that signs SOC 2 reports has to be peer reviewed. Another CPA firm pulls a sample of its work and confirms the testing actually supports the opinions. The results are public at peerreview.aicpa.org. A firm that signs SOC 2 opinions and has nothing on file is the loudest red flag there is.

None of this is gatekeeping. The AICPA's own publication, the Journal of Accountancy, has warned that promises of "fast and easy" can threaten SOC credibility. The people who set the standards are saying it out loud. Speed is not the problem. Speed with nobody real behind the opinion is.

So know your auditor's name. Verify it. The report is only worth what the person who signed it is worth, and that's something you can check before you ever pay.