Who actually signs your SOC 2 report?

TL;DR
  • Your SOC 2 report is signed by a licensed CPA firm, not by the compliance platform you used to get ready.
  • Under AICPA rules the CPA alone is responsible for the opinion. The platform's job is to organize your evidence.
  • On the platform path, the auditor tends to be the person you interact with the least. That is worth noticing.
  • Ask whose name is on the report, verify the individual CPA's license, then ask what they have actually audited.

The signature line is the whole thing

A SOC 2 report is not a certificate, a badge, or a dashboard. It's an opinion. A licensed CPA looked at your controls, the safeguards you have in place to protect customer data, and wrote down, in their own professional judgment, whether those controls were designed and actually working the way you say they are. The report is issued in the firm's name, and a real CPA's work, judgment, and license stand behind it.

That work runs under the AICPA's attestation standards. Attestation just means a CPA examining something and formally stating their conclusion about it. The specific rulebook is SSAE 18, and within it AT-C section 105 and AT-C section 205. Read AT-C 205 and one line settles the question of who owns the report. The CPA, in the standard's words, "has sole responsibility for the opinion expressed." Not the tool. Not the platform. The CPA.

So here is the question most founders never ask. You are about to hand a report to an enterprise customer who will use it to decide whether they trust you. Whose name is on it? If you cannot answer that quickly, you do not yet know what you bought.

What the platform does, and what it can't

I want to be fair to the compliance platforms here, because they solved a real problem.

Before they existed, getting your evidence ready for an audit was a mess of spreadsheets and screenshots and frantic Slack threads. The platforms cleaned that up. They connect to your AWS account, your identity provider, your ticketing system, and they pull evidence automatically. They map it to the controls you are supposed to have. They tell you what is missing. For a lot of teams that genuinely shrank the painful part.

That is the evidence-organizing layer. It is useful. It is not an audit.

A compliance platform is a software company. It is not a CPA firm, and it cannot become one by writing more software. The platforms know this, which is why they do not sign your report. They refer you to a CPA firm to do that part. The subscription and the audit are two separate things. One organizes your evidence. The other is a licensed professional forming an independent opinion and putting the firm's name on it.

Compliance platformCPA firm
What it isSoftwareLicensed accounting firm
JobCollect and organize evidenceExamine controls, form the opinion
Signs the reportNoYes
Governed byIts own termsAICPA attestation standards

The practical upshot is one most people miss: you can be audited without renting a platform forever. The platform is optional. The CPA is not.

The buried auditor

Here is the part of the model I think is worth sitting with.

On the platform path, a founder can go through almost the entire process talking to software. You log into a dashboard. You connect integrations. You watch a progress bar. You upload a few documents. And then, near the end, an auditor you have barely met issues an opinion that the whole report rests on.

The validity of your report comes from that person. The license, the independence, the professional judgment, the accountability. All of it lives with the CPA. But the experience is built so that the CPA is the one piece you interact with least.

I am not saying anyone is doing anything wrong. I am saying the structure makes it easy to never really meet the person whose license backs your report. And if you never meet them, it is fair to ask a simple question. What did they actually look at?

In my own fieldwork, the testing is the job. I pull samples, meaning I take a handful of real cases and check them rather than trusting a summary. I trace access changes back to the tickets that requested them. I look at what actually happened, not just what the policy says should happen. A report that comes out of real testing reads differently from one that came out of a template. If your auditor is mostly a name that appears at the end, you have no easy way to tell which one you got.

What to do about it

You do not need to be an auditor to protect yourself. You need two minutes and a name.

Get the name. Ask which CPA firm issues the report and which individual CPA leads the engagement and stands behind the opinion. Get the exact legal name of the firm and the state it is registered in, in writing. A real firm answers this without hesitating.

Verify the license. A CPA license is public information. Look up both the firm and the individual CPA who leads the work on NASBA's CPAverify at cpaverify.org. It pulls straight from the state boards. You are confirming an active firm license and an active individual license, in the state they claim.

Check their experience. The license is the floor, not the proof. A SOC 2 is a specialist examination of security and IT controls, and not every CPA is trained for it. So ask the human questions. How many SOC 2 examinations have you led? Have you audited companies like mine? Who does the actual fieldwork, and where? An experienced auditor answers in specifics. A name rented to front an account does not. If the firm happens to have a completed peer review, the public audit-of-the-auditor file maintained by the AICPA, that is a nice extra. But peer review runs on a multi-year cycle, so a perfectly good new firm may not have one on file yet. Treat it as a bonus, not a requirement. The thing that actually protects you is verifying the named CPA's license and real experience.

None of this is gatekeeping. The AICPA's own publication, the Journal of Accountancy, has cautioned that promises of "fast and easy" can threaten the credibility of SOC reports. The people who write the standards are saying it out loud. Speed itself is not the problem. Speed with nobody real behind the opinion is.

So learn your auditor's name. Verify it. Ask what they did. The report is only worth what the person who stands behind it is worth, and that is something you can check before you ever pay.

Frequently asked questions

Who can perform a SOC 2 audit?
Only a licensed CPA firm. A SOC 2 is an attestation examination, meaning a formal audit and opinion, performed under AICPA standards (SSAE 18, AT-C 105 and 205). Under AT-C 205 the CPA has sole responsibility for the opinion. The examination has to be done, and the report signed, by a CPA firm that is independent of the company being audited. No other type of company can issue a valid SOC 2 opinion.
Can Vanta or Drata issue my SOC 2 report?
No. Compliance platforms like Vanta, Drata, Secureframe and Sprinto are software companies, not CPA firms. They help you collect and organize evidence, which is genuinely useful, but they cannot perform the examination or sign the report. They refer you to a separate CPA firm for that part. The signature on a valid SOC 2 always comes from a licensed CPA firm.
Does my compliance platform sign the report?
No. The platform organizes your evidence and tracks your controls. The audit itself is a separate engagement with a licensed CPA firm, and that firm signs the opinion. They are two different things, and often two different bills. This matters because it means you can be audited by a CPA without paying a platform subscription forever.
How do I find out who my auditor is?
Ask directly which CPA firm performs the examination and which individual CPA leads the engagement and stands behind the opinion. Get the firm's exact legal name and home state in writing. Then verify both the firm and that individual CPA on NASBA's CPAverify at cpaverify.org, which pulls straight from the state boards. Then ask about their actual SOC 2 experience. The whole check takes a couple of minutes.
Why does it matter who signs?
Because the report is only an opinion, and an opinion is only worth the judgment and accountability of the people behind it. Under AICPA standards the CPA has sole responsibility for that opinion. If the firm is not a licensed CPA firm with a CPA who has real SOC 2 experience, the report is not a reliable SOC 2 and your customers cannot lean on it. The name on the signature line is what the whole report is built on.

Keep reading

Sources
  1. Under AT-C section 205, a SOC 2 examination is performed by the practitioner, who has sole responsibility for the opinion expressed; the report is the CPA's professional attestation, not a tool's output.
  2. A CPA license, individual and firm, is publicly verifiable through NASBA's CPAverify, which is populated directly by state boards of accountancy.
  3. Firms that perform SOC examinations are subject to AICPA peer review, and the results are searchable by the public in the AICPA Peer Review Public File.
  4. The AICPA's own publication, the Journal of Accountancy, has warned that promises of fast and easy can threaten SOC report credibility.