SOC 2 Attestation: What It Means and How CertPro Issues It

The word “attestation” is used loosely in the compliance market — and that looseness causes real problems for service organizations trying to understand what they are actually buying.

SOC 2 attestation is a legally defined process. It is the formal examination conducted by a licensed CPA firm under AICPA AT-C Section 205, in which an independent auditor evaluates a service organization’s controls against the Trust Services Criteria and issues a professional opinion on whether those controls meet the applicable requirements. The output is a formal attestation report — not a certificate, not a badge, not a software-generated compliance summary.

Only licensed CPA firms are authorized to issue SOC 2 attestation reports. CertPro CPA LLC is a licensed CPA firm that conducts SOC 2 examinations directly under AICPA standards. This guide explains exactly what SOC 2 attestation means, how the process works, and what distinguishes a genuine attestation engagement from the many things in the market that claim to be one.

Tl; DR:

Concern: With the SOC 2 compliance market flooded by software vendors, consultants, and unaccredited bodies all claiming to offer “SOC 2 attestation,” service organizations find it genuinely difficult to understand what attestation actually means — and who is legally authorized to issue it.

Overview: SOC 2 attestation is the formal examination process conducted by a licensed CPA firm under AICPA AT-C Section 205, resulting in an independent auditor’s report on whether a service organization’s controls meet the applicable Trust Services Criteria.

Solution: Service organizations should understand the legal definition of attestation, how it differs from consulting and readiness work, what the examination process involves, and why engaging a licensed CPA firm like CertPro CPA LLC is the only path to a valid, market-accepted SOC 2 report.

SOC 2 Attestation: What It Means and How CertPro Issues It

SOC 2 attestation is the formal, independent examination of a service organization’s controls by a licensed CPA firm, resulting in a professional opinion on whether those controls meet the AICPA’s Trust Services Criteria. It is the process that produces a SOC 2 report — and it is governed by professional standards that only licensed CPA firms are authorized to apply.

What Does Attestation Mean?

In professional accounting and auditing, attestation has a precise legal meaning. It refers to an engagement in which a licensed CPA firm — the practitioner — issues a written communication that expresses a conclusion about the reliability of a subject matter that is the responsibility of another party — the responsible party, in this case the service organization’s management.

Under AICPA AT-C Section 205, an examination engagement is the highest level of attestation service a CPA firm can provide. The practitioner gathers sufficient appropriate evidence, applies professional judgment, and issues an opinion — not a summary, not a recommendation, not a readiness score. An opinion, with professional and legal accountability attached.

This is categorically different from:

• A readiness assessment — which identifies gaps but produces no attestation
• A consulting engagement — which advises on control design but issues no opinion
• A software compliance report — which generates automated outputs but involves no licensed professional examination
• A vendor security questionnaire — which records self-reported claims but verifies nothing

When a buyer asks for your SOC 2 report, they are asking for an attestation — a document bearing a licensed CPA firm’s professional opinion. Nothing else satisfies that requirement.

Who Is Authorized to Issue a SOC 2 Attestation?

Only licensed CPA firms operating under AICPA professional standards are authorized to issue SOC 2 attestation reports. This is not a market convention — it is a professional and legal requirement embedded in the AICPA’s attestation standards.

The AICPA has been explicit about this. In a public notice on its SOC Suite of Services page, the AICPA stated directly that it is investigating allegations about compliance vendors offering SOC services without proper licensure, and that auditors found to have not performed audits in accordance with professional standards, not been enrolled in peer review, and/or are unlicensed will face action — including referrals to state boards of accountancy.

The market implications are significant. Organizations that receive a SOC 2 report from an unlicensed or non-CPA entity are not holding a valid SOC 2 attestation. They are holding a document that resembles one — which enterprise buyers, on closer inspection, will reject.

CertPro CPA LLC is a licensed CPA firm. Every SOC 2 report we issue is signed by a licensed CPA, conducted under AICPA AT-C Section 205, and subject to peer review — meeting the full requirements of a valid SOC 2 attestation.

What is the Difference Between SOC 2 Attestation and SOC 2 Certification?

This is one of the most searched questions in the SOC 2 space — and the answer matters for how service organizations communicate their compliance status to buyers.

SOC 2 attestation is the correct term. It refers to the examination process and the resulting report issued by a licensed CPA firm. The output is a report. The service organization does not receive a certificate. There is no SOC 2 certification body, no SOC 2 certificate number, and no SOC 2 mark or logo that can be affixed to a product.

“SOC 2 certified” is technically inaccurate language that has become common in marketing contexts. When a company says it is “SOC 2 certified,” what it means is that it holds a current SOC 2 attestation report. Sophisticated buyers understand this distinction — and some will push back on vendors who use “certified” language because it signals a misunderstanding of the framework.

The correct language: the service organization holds a SOC 2 report, has been SOC 2 attested, or has completed a SOC 2 examination. CertPro CPA LLC uses accurate language in all client communications and report documentation.

What Does a SOC 2 Attestation Engagement Involve?

A SOC 2 attestation engagement conducted by CertPro CPA LLC follows the examination standards of AICPA AT-C Section 205 and proceeds through defined phases:

Phase 1 — Engagement Acceptance and Planning

CertPro CPA LLC evaluates whether the engagement meets the criteria for acceptance under professional standards — including independence requirements, competence, and the suitability of the criteria to be applied. The audit scope is defined: which systems are in scope, which Trust Services Criteria apply, and what observation period will be examined for a Type 2 engagement.

Phase 2 — Understanding the System

CertPro CPA LLC develops a thorough understanding of the service organization’s system — the services it provides, the infrastructure it uses, the software it operates, the people involved in delivering the service, and the procedures it follows. This understanding forms the basis of the system description that appears in the final report.

Phase 3 — Risk Assessment and Control Identification

CertPro CPA LLC identifies the controls that management has implemented to address the applicable Trust Services Criteria and the Common Criteria, assesses the risks that those controls are designed to address, and determines the nature, timing, and extent of testing procedures.

Phase 4 — Testing

For SOC 2 Type 1 engagements, CertPro CPA LLC tests whether controls are suitably designed to meet the applicable criteria as of the specified date.

For SOC 2 Type 2 engagements, CertPro CPA LLC tests both design suitability and operating effectiveness across the full observation period. Testing procedures include:

• Inspection — reviewing documentation, configurations, logs, and records to verify control operation
• Inquiry — interviewing personnel responsible for controls to understand how they are performed in practice
• Observation — directly observing control activities being performed
• Re-performance — independently executing a control procedure to verify that it produces the expected result

Phase 5 — Evaluation of Exceptions

Where testing reveals that a control did not operate as designed during the observation period, CertPro CPA LLC documents the finding as an exception. The nature, frequency, and impact of exceptions are evaluated to determine their effect on the overall opinion. See Common SOC 2 Audit Exceptions for a detailed breakdown of how exceptions are classified and handled.

Phase 6 — Report Issuance

CertPro CPA LLC issues the formal SOC 2 report — a structured attestation document containing the auditor’s opinion, management’s assertion, the system description, and for Type 2, the detailed description of tests and results. The report is signed by CertPro CPA LLC as the issuing licensed CPA firm.

What Opinion Does a SOC 2 Attestation Report Contain?

A SOC 2 attestation report contains one of three opinion types:

Unqualified opinion — the service organization’s controls meet the applicable Trust Services Criteria. This is the outcome that service organizations and their customers expect from a well-prepared engagement.

Qualified opinion — the controls meet the criteria except for one or more specific areas where the auditor found material deviation. A qualified opinion is issued when exceptions are significant enough to affect the overall conclusion but do not undermine the entire system.

Adverse opinion — the controls do not meet the applicable criteria. An adverse opinion represents a significant failure of the control environment and is rarely seen in engagements where adequate readiness work was completed before the formal examination.

The SOC 2 readiness assessment that CertPro CPA LLC conducts before the formal examination is specifically designed to identify and remediate control gaps that would otherwise result in qualified or adverse opinions — protecting both the service organization’s report outcome and the efficiency of the engagement.

Type 1 vs Type 2 Attestation — Which Does Your Organization Need?

Both Type 1 and Type 2 are valid SOC 2 attestation engagements conducted under the same AICPA standards. The difference is in what they examine and what they prove.

Type 1 attestation examines controls at a single point in time — are they suitably designed as of this date? It is faster to complete and appropriate when an organization needs to demonstrate a baseline security posture quickly, for example to unblock a specific deal or meet an interim procurement requirement.

Type 2 attestation examines controls over an observation period — did they actually operate effectively, consistently, throughout this period? It is the standard that enterprise buyers require for long-term vendor relationships. For a full breakdown of Type 2 requirements and timelines, see SOC 2 Type 2.

Most organizations that complete a Type 1 engagement go on to complete Type 2 within twelve months — either because their buyers require it or because the Type 1 provides the documentation and discipline needed to support a successful Type 2 observation period.

How Often Must SOC 2 Attestation Be Renewed?

SOC 2 attestation is not a one-time event. Enterprise buyers expect a current report — meaning one whose observation period ended within the last twelve months. Once a report ages beyond twelve months, buyers begin to question whether the controls documented in the report are still in place and still operating effectively.

Annual re-examination is the standard practice. Each year, CertPro CPA LLC conducts a fresh examination covering a new observation period, typically twelve months, and issues a new report. For full details on examination frequency and what happens when a report lapses, see SOC 2 Audit Frequency.

Begin Your SOC 2 Attestation with CertPro CPA LLC

SOC 2 attestation is a precise, professionally governed process — and choosing the right licensed CPA firm to conduct it determines both the quality of the report and its acceptance by enterprise buyers.

CertPro CPA LLC is a licensed CPA firm that issues SOC 2 attestation reports under AICPA AT-C Section 205. Every engagement is conducted by licensed CPAs, subject to peer review, and produces a report that meets the full requirements of a valid SOC 2 attestation.

Explore the full SOC 2 hub for detailed guidance on every aspect of the SOC 2 process.

Ready to begin? Contact CertPro CPA LLC to scope your SOC 2 attestation engagement.

FAQ