SOC 2 Attestation
by a
Licensed CPA Firm
Enterprise buyers ask for a SOC 2 report before they close a deal. CertPro CPA LLC conducts SOC 2 Type 1 and Type 2 examinations and issues attestation reports directly, as a licensed CPA firm, under AICPA AT-C Section 205.
THE INDEPENDENT ASSURANCE STANDARD FOR SERVICE ORGANIZATIONS
SOC 2 is a structured audit and attestation framework developed by the AICPA that evaluates whether a service organization's controls meet the Trust Services Criteria. Understanding what is SOC 2 compliance is foundational for any cloud-based or technology-driven business that stores, processes, or transmits sensitive business data. SOC 2 attestation requires an independent examination by a licensed CPA firm, making it the most credible security attestation standard in B2B technology procurement. For technology service organizations, a SOC 2 attestation report is the clearest proof that your security posture has been independently examined and verified.
CertPro CPA LLC issues SOC 2 attestation reports directly, as a licensed CPA firm, under AICPA AT-C Section 205. Every engagement is led by credentialed auditors applying structured, evidence-based testing across all in-scope controls.
A SOC 2 report issued by CertPro provides enterprise customers, procurement stakeholders, and regulators with verifiable, independent assurance of your organization's security posture.
Security
Protects systems against unauthorized access, data misuse, and disclosure. Mandatory for every SOC 2 engagement.
Availability
Covers system uptime, redundancy, and disaster recovery in line with agreed commitments. Relevant when a system or service downtime directly affects your customers.
Confidentiality
Protects sensitive business information through encryption, access controls, and documented data retention policies throughout processing and disposal.
Processing Integrity
Ensures system processing is accurate, complete, and timely. Most relevant for organizations handling financial or transactional data where errors carry real consequences.
Privacy
Governs how personal data is collected, used, and disposed. Applies when your organization manages identifiable personal information at scale.
SOC 2 Type 1 vs Type 2
Selecting the appropriate examination type is determined by the nature of your controls, the observation period required, and the assurance expectations of your stakeholders.
Design Assessment at a Point in Time
A SOC 2 Type 1 examination reviews whether your security controls are properly designed and implemented on the date of the audit. It is the right starting point for organizations establishing their compliance baseline or responding to an early procurement request.
Operating Effectiveness Over a Period of Time
A SOC 2 Type 2 examination evaluates both the design and operating effectiveness of controls over a period of time. It is the standard required by enterprise buyers, regulated industries, and institutional investors because it demonstrates sustained security discipline.
A Structured Examination in Four Phases
Every CertPro SOC 2 engagement follows a structured four-phase process governed by AICPA standards at every stage. All milestones are tracked through Asana with full client visibility.
Kick-off and Scoping
A 30-minute call to discuss your audit scope, system boundaries, observation period, and timeline. Applicable Trust Services Criteria are agreed jointly during the call. One client-side point of contact is identified to keep the SOC 2 audit moving without delays.
Evidence Access and Gap Review
In this phase, you share access to your evidence repository. We review your control matrix and system description against the system description criteria under DC Section 200. A structured gap list is compiled and delivered, identifying control gaps and documentation deficiencies requiring client resolution as a part of initial testing.
Gap Clarification and Further Testing
A Zoom session is conducted to review the structured gap list with the client. Controls can be demonstrated live, or evidence can be submitted after the call. This is where the unresolved items are formally documented and categorized by severity. SOC 2 controls are tested through inquiry, inspection, and observation throughout this phase.
Report Compilation and CPA Sign-off
The draft SOC 2 report is compiled, independently reviewed by CertPro's QA team, and shared with you for a factual accuracy review. The final attested SOC 2 report is issued under AT-C Section 205 and signed directly by CertPro as a licensed CPA firm.
Is Your Control Environment Ready?
A readiness assessment identifies SOC 2 compliance requirements gaps before your formal examination begins. The five areas below are the most frequently identified deficiencies across CertPro's SOC 2 engagements. Addressing them early reduces examination risk and supports a more efficient engagement.
*Note: CertPro does not assist with readiness assessments*
Security Policy Documentation
Written, management-approved policies covering access management, data classification, incident response, and acceptable use. Undocumented practices cannot be substantiated through examination and will be noted as control gaps. Documented policies are a baseline requirement across all applicable Trust Services Criteria.
Logical Access Controls
User provisioning and deprovisioning procedures, MFA enforcement, and least-privilege access principles are documented and consistently applied. Logical access is among the most frequently tested SOC 2 controls in every engagement CertPro runs.
Security Monitoring and Log Retention
Active security event monitoring, defined log retention schedules, and alerting for system anomalies. For a Type 2 report, continuous monitoring demonstrates that controls are operating effectively throughout the observation period.
Incident Response Program
A written incident response plan tested through a tabletop exercise, with assigned roles and escalation paths. A plan that has never been tested does not meet the standard. This is a consistently identified deficiency across CertPro's SOC 2 examinations.
Vendor and Third-Party Risk Management
Documented vendor risk assessments, executed Business Associate Agreements where required, and sub-service organization disclosures. Third-party risk is one of the most frequently identified control gaps in CertPro's SOC 2 examinations.
Readiness Score
Based on an assessment across all five Trust Service Criteria domains. Three areas require additional evidence prior to examination commencement.
Independent Audit. Credible Report.
Licensed CPA Firm.
These principles govern how CertPro conducts every SOC 2 engagement, from scoping through report issuance. These are structural commitments, documented in every audit file, and independently verified through CertPro's enrollment in the AICPA Peer Review Program.
Direct CPA Attestation
CertPro issues SOC 2 reports directly, as a licensed CPA firm, under AICPA AT-C Section 205, without a co-signing CPA or third-party intermediary. Organizations that undergo a SOC 2 examination receive a report that carries genuine independent assurance and verifiable legal weight.
Structural Independence
CertPro does not sell the compliance tools, software, or advisory services we audit against. Our opinions come from evidence gathered during the current engagement, not from prior relationships or previous period reports.
Evidence-Based Methodology
Every conclusion is supported by sufficient and appropriate evidence per AT-C Section 205 and AT-C Section 105. Each SOC 2 control is tested through inquiry, inspection, and observation. CertPro does not estimate, assume, or extrapolate from documentation alone.
Credentialed Engagement Team
Every engagement is led by a credentialed auditor. CertPro is enrolled in the AICPA Peer Review Program, providing independent external oversight of audit quality.
Transparent Communication
Audit findings are communicated in clear, plain language throughout the engagement. Every deviation is documented with severity classification, root cause analysis, and a corrective action pathway.
Globally Trusted
Examinations conducted by CertPro are a trust signal for service organizations worldwide. Adherence to strict audit processes ensures that our reports are accepted by enterprise customers globally.
SOC 2 Examination — Key Questions
A Type 1 report provides an independent assessment of whether controls are suitably designed at a specific point in time. A Type 2 report evaluates both design and operating effectiveness over a period of time. Most enterprise and regulated buyers require Type 2, as it provides evidence of sustained control performance rather than design intent alone.
No. The Security criterion (Common Criteria) is mandatory for all SOC 2 engagements. The remaining four, Availability, Confidentiality, Processing Integrity, and Privacy, are included based on the nature of the services provided and the assurance requirements of your stakeholders. CertPro determines the appropriate scope during the planning phase.
CertPro CPA LLC issues SOC 2 attestation reports directly, as a licensed CPA firm, under AICPA AT-C Section 205, without requiring a co-signing CPA. Many firms operating in this space are consultancies, not licensed CPA firms. CertPro's engagements are led by credentialed CISAs and ISO Lead Auditors, applying structured, evidence-based methodology on every engagement.
The examination follows four structured phases: a kick-off meeting to confirm scope and timeline; evidence access and initial gap identification; gap clarification through a collaborative review; and report compilation, internal QA review, and issuance by CertPro CPA LLC directly, as a licensed CPA firm, under AICPA AT-C Section 205. Each phase is documented in accordance with AICPA professional standards.
Organizations without an existing compliance program cannot directly undergo a SOC 2 examination with CertPro. CertPro performs attestation engagements only. It does not provide readiness assessments, control design, or remediation support before the audit. This is a professional requirement, not a service limitation. As a licensed CPA firm governed by the AICPA Code of Professional Conduct, CertPro must remain independent. Any involvement in designing or implementing controls would compromise that independence and invalidate the attestation. To proceed with a SOC 2 examination, an organization must have its controls fully designed and implemented. For a Type 2 engagement, these controls must also operate effectively throughout the defined examination period before the examination commences. If your control environment is not yet established, you should first work with an independent readiness consultant or a GRC platform. Once your controls are in place and supporting evidence is available; CertPro can conduct the examination through structured phases in line with AICPA attestation standards.
A SOC 2 report is a formal attestation document issued by a licensed CPA firm containing the practitioner’s professional opinion on whether your SOC 2 controls are suitably designed (Type 1) or designed and operating effectively (Type 2). It includes your system description, the applicable Trust Services Criteria, tested control evidence, and any documented findings. CertPro issues it directly as a licensed CPA firm, under AICPA AT-C section 205.
Begin Your Compliance Audit with a Licensed CPA Firm.
Schedule a 30-minute scoping call with a credentialed auditor. We will identify the right framework, discuss audit scope and outline a clear path based on your current state.