How do you verify your SOC 2 auditor is a real CPA?
- A SOC 2 report is signed in the firm's name, but a firm is just a legal wrapper. It can be a shell, a mailbox, or a front for work done somewhere else.
- What gives that signature meaning is the individual CPA who actually performs your audit and stands behind it. That is who you verify.
- Two minutes on CPAverify.org confirms both the firm's registration and the individual's active license. Get the lead auditor's name in writing first.
- Then ask the human question: how many audits like mine have you done? Experience is the one thing a shell cannot fake.
Verify the people, not the logo
A SOC 2 report is signed in the firm's name. Under the AICPA's attestation standards (SSAE 18, and within it AT-C sections 105 and 205, the rulebook a CPA follows to perform and report on an examination), only a licensed CPA firm can issue one. A compliance platform, the software you use to track controls and collect evidence, cannot. That part you have probably heard.
Here is the part that actually protects you. A firm is a legal wrapper. Anyone can register an entity, rent a virtual mailbox in a US city, and put "CPA firm" on a website. What cannot be faked the same way is the individual CPA who actually performs your audit and stands behind it. The firm's name is on the report, but the work and the judgment behind that signature belong to a real person. So do not stop at "the firm." Verify the people too: the licensed CPA who runs your engagement and represents the firm on your opinion (the audit and the CPA's formal conclusion about your controls), and the firm itself.
That distinction stopped being academic in 2026. A YC-backed compliance startup that had raised $32 million was reported to have produced 493 near-identical SOC 2 reports out of 494 examined, with the same paragraphs, the same grammatical errors, only the company name swapped. The work was reportedly routed through offshore operations fronted by US virtual mailboxes and shell entities while the marketing said "independent US CPA firms." Delve denied the allegations, which remain contested. I would take it as the pattern to learn, not the company to fixate on. The question is not "is there a PDF." It is "who are the people who actually did this work, and are they real."
You can answer that in about two minutes, before you ever sign an engagement letter (the contract that defines what the audit covers and what each side is responsible for).
Step 1: Get the name of the CPA who runs your audit
Before anything else, ask one question. Which individual CPA will lead and perform my audit, and which firm will issue the report? Get the firm's exact legal name and the state it is registered in, in writing.
A real firm answers this immediately. If a provider will not name the person doing the work, or routes you only to a dashboard and a support queue, that tells you something on its own. The opinion is the product. You are allowed to know whose work stands behind it.
Step 2: Verify the license, the person first
A CPA license belongs to a person. A firm needs its own separate registration with a state board to perform attest work, the formal examination behind a SOC 2. So you check two things, and you check the human one first.
The free national tool is CPAverify, run by NASBA (the National Association of State Boards of Accountancy). It pulls directly from the state boards.
- Go to cpaverify.org. Use the CPA tab to look up the individual who will run your engagement, then the Firm tab for the firm that issues the report.
- Search by name, license number, or state.
- Confirm both read active, in the state the firm claims to operate from, with no disciplinary history.
If the individual's license does not check out, nothing else matters. The opinion would not be a valid SOC 2 no matter how polished the PDF.
Step 3: Ask what they have actually done
This is the step almost nobody takes, and it is the one that tells you whether you have an experienced auditor or someone simply assigned to your account. A SOC 2 is a specialist examination of security, IT, and governance controls, not generic accounting, and not every CPA is trained to do it. The license is the floor, not the proof.
So ask the human questions:
- How many SOC 2 examinations have you personally led?
- Have you audited companies that look like mine, on a stack like mine?
- Who actually does the fieldwork, and where are they?
You are listening for specifics. An experienced auditor talks fluently about scoping (deciding which systems the audit covers) and sampling (picking which records to test) and the gaps they tend to find. Someone reading from a script does not. Experience is the one thing a shell entity cannot manufacture, and it is exactly what the cheapest audit channel attached to a platform tends not to give you. If you never meet the people whose work backs your report, you have no way to know which kind you got.
What about peer review?
You may read that you should check a firm's AICPA peer review. Peer review is real and worth knowing about. It is the audit of the auditor: every three years another CPA firm samples a firm's reports and the underlying evidence to confirm the work supports the opinions, and accepted reviews are posted in a public file.
One honest caveat, because it cuts both ways. Peer review runs on a multi-year cycle, and a brand-new firm enrolls but will not have an accepted review on file yet, simply because its first cycle has not come due. So treat peer review as a plus when it is present, not a disqualifier when it is absent. The signal that always applies is the one above. A named, licensed, experienced human who actually does the work and stands behind it.
The red flags I look for
Five years on the auditor's side teaches you the tells. None is conclusive on its own. Stacked together, they describe an audit that may not have done much testing.
| Red flag | What it usually means |
|---|---|
| No named individual | Nobody will tell you, in writing, which CPA actually performs and stands behind the work. A real auditor is happy to be named, because they are accountable for it. |
| Zero findings, ever | A real examination finds exceptions. A first-time report with nothing flagged usually means the testing did not happen. |
| Boilerplate testing language | Section IV, the part of the report that describes what was actually tested, reads identically to every other report: generic "inspected evidence" phrasing, nothing specific to your systems, your samples, or what was checked. |
| US address you cannot tie to a real office | A virtual mailbox out front, the fieldwork done somewhere else. The marketing says "US CPA firm"; the people doing the work are someone else. |
| No relevant experience | The person leading it cannot point to SOC 2 work on companies like yours, or you spent the engagement teaching them your own stack. |
The two-minute checklist
Run this before you pay anyone:
- Ask which individual CPA performs and leads your audit, and which firm issues the report. Get both in writing, with the state.
- Look up that individual on CPAverify (CPA tab). Active license, right state, no discipline?
- Look up the firm (Firm tab). Active firm registration in the same state?
- Ask what they have audited. SOC 2 experience on companies like yours, and who does the fieldwork.
- Ask to see a sample report and read Section IV. Does the testing language describe real procedures, or could it belong to any company?
Pass these and you are dealing with real people doing real work. The report is only ever worth as much as the auditors who actually did it, and that is something you can check before you ever pay.
For why a CPA is the right professional to run a security audit in the first place, see why a CPA audits your security. For why "compliant" is the wrong word for what you are buying, see the SOC 2 compliant myth.
Frequently asked questions
How do I check if a SOC 2 auditor is a real CPA?
Does the individual CPA or the firm sign the SOC 2 report?
Should I check my SOC 2 auditor's peer review?
What are red flags when choosing a SOC 2 auditor?
Is my SOC 2 report valid if the firm isn't a licensed CPA firm?
Keep reading
Will AI make SOC 2 prep tools obsolete?
AI agents can now do the prep work a compliance subscription used to sell. What gets cheap, and what doesn't.
Can a once-a-year audit keep up with AI?
Snapshots and samples were workarounds for the cost of looking. AI collapsed that cost. What independent verification looks like next.
Does the name on your SOC 2 report matter?
The famous logo is a stand-in for what the report will not show you. Here is how to read past it.
Why can't an auditor just take your word?
The rules make the auditor inspect the real evidence, not just ask. A green checkmark is not proof.
Sources
- Only a licensed CPA firm can perform a SOC 2 examination and form the opinion; the practitioner has sole responsibility for it (AT-C 205).
- CPAverify is NASBA's free national database of licensed CPAs and CPA firms, populated directly by state boards of accountancy.
- CPAverify public search lets you look up both individual CPAs and firms by name, license number, and state.
- The AICPA Peer Review Public File lets anyone search firms and view enrollment status and accepted peer review documents.