SOC 2 Compliance by an Independent
Licensed CPA Firm
CertPro conducts SOC 2 Type I and Type II examinations under AICPA SSAE 18 — attested and issued by a licensed CPA. CertPro conducts and issues SOC 2 reports directly, in accordance with AICPA SSAE 18 standards.
The Independent Assurance Standard for Cloud Organisations
SOC 2 (System and Organization Controls 2) is a rigorous attestation framework developed by the AICPA that evaluates how a service organisation's controls meet the Trust Service Criteria. Unlike certifications that rely on self-declaration, SOC 2 requires an independent examination conducted and attested by a licensed CPA firm.
CertPro performs SOC 2 Type I and Type II examinations in accordance with AICPA SSAE 18 attestation standards. Every engagement is performed by credentialed auditors — CPAs, CISAs, and ISO Lead Auditors — applying structured, evidence-based scrutiny across all in-scope controls.
A SOC 2 report provides enterprise customers, regulators, and procurement stakeholders with verifiable, independent assurance of your organisation's security posture. It is the most widely requested attestation in technology procurement globally.
Security
Controls protecting systems against unauthorised access, use, disclosure, and modification of information.
Availability
Systems are available for operation and use in accordance with agreed-upon commitments and requirements.
Confidentiality
Information designated as confidential is protected as committed or agreed throughout processing and disposal.
Processing Integrity
System processing is complete, valid, accurate, timely, and authorised to meet defined objectives.
Privacy
Personal information is collected, used, retained, and disclosed in conformity with AICPA privacy criteria.
SOC 2 Type I vs Type II
Selecting the appropriate examination type is determined by the nature of your controls, the observation period required, and the assurance expectations of your stakeholders.
Design Assessment at a Point in Time
A Type I examination evaluates whether controls are suitably designed and implemented to meet the relevant Trust Service Criteria — assessed at a specific date. It provides independent assurance on the architecture of your control environment.
Operating Effectiveness Over a Defined Period
A Type II examination evaluates both the design and operating effectiveness of controls over a defined period — a minimum of six months. It constitutes the highest standard of independent SOC 2 assurance, required by enterprise buyers, regulated industries, and institutional investors.
What the Examination Covers
Every CertPro SOC 2 engagement is structured around a defined scope, conducted in accordance with AICPA attestation standards, and delivered by credentialed audit professionals.
System Scoping & Boundary Definition
CertPro defines the in-scope system boundary in collaboration with your team — identifying the services, infrastructure, and personnel subject to examination and the applicable Trust Service Criteria.
Phase 1Control Environment Assessment
Our auditors conduct a structured review of your control environment, identifying design gaps relative to the Trust Service Criteria prior to formal testing — enabling substantive remediation before the audit period commences.
Phase 2Evidence-Based Control Testing
Each in-scope control is tested against defined criteria through inquiry, observation, inspection, and re-performance. Evidence is reviewed, documented, and assessed for sufficiency and appropriateness in accordance with AICPA standards.
Phase 3Exception & Finding Documentation
All deviations from criteria are documented with classification, root cause analysis, and management's response. Findings are communicated clearly and without ambiguity throughout the engagement.
Phase 3CPA Attestation & Report Issuance
The SOC 2 report is prepared, reviewed, and attested by a licensed CPA under AICPA SSAE 18. CertPro issues the report directly — no co-signing CPA is required — in standard AICPA format accepted by enterprise and regulated buyers.
Phase 4Post-Issuance Assurance Support
Following report issuance, CertPro remains available to support management's responses to customer enquiries, third-party due diligence reviews, and annual re-examination planning.
OngoingA Structured Examination
in Four Phases
CertPro's SOC 2 engagement methodology is structured, evidence-based, and conducted in accordance with AICPA professional standards at every stage.
Scoping & Planning
CertPro defines the system boundary, applicable Trust Service Criteria, and examination period in consultation with your team. Engagement scope, responsibilities, and timeline are documented before work commences.
Readiness & Remediation
A structured readiness assessment identifies control design gaps relative to the applicable criteria. Our pre-built documentation framework supports substantive remediation prior to formal testing, reducing examination risk.
Evidence Review & Control Testing
In-scope controls are tested through inquiry, inspection, observation, and re-performance. All evidence is assessed for sufficiency and appropriateness. Deviations are documented with root cause and management response.
CPA Attestation & Report
The completed SOC 2 report is reviewed, attested, and issued by a licensed CPA under AICPA SSAE 18 — in standard format, accepted by enterprise customers, regulated buyers, and institutional stakeholders worldwide.
Is Your Control Environment
Examination-Ready?
A structured readiness assessment identifies control gaps relative to the applicable Trust Service Criteria. The five areas below are the most frequently identified deficiencies across CertPro's SOC 2 engagements — each mapped to AICPA CC-series requirements.
Information Security Policy Framework
Documented policies covering acceptable use, access management, data classification, and incident response — approved by management.
Logical Access Controls
User provisioning and de-provisioning procedures, MFA enforcement, and documented least-privilege access principles.
Monitoring & Anomaly Detection
Security event monitoring, log retention per defined schedules, and alerting for system anomalies.
Incident Response Programme
Documented procedures tested via tabletop exercises, with assigned roles and defined escalation paths.
Vendor & Third-Party Risk Management
Periodic third-party risk assessments, executed BAAs where required, and documented sub-service organisation disclosures.
Readiness Score
Based on an assessment across all five Trust Service Criteria domains. Three areas require remediation prior to examination commencement.
Independent Audit. Credible Report.
Licensed CPA Firm.
Six principles that govern how CertPro conducts every SOC 2 engagement — from scoping through report issuance.
Direct CPA Attestation
CertPro issues SOC 2 attestation reports directly under AICPA SSAE 18 — no co-signing CPA, no third-party intermediary. The same standard applied by Big 4 firms, with the same legal weight.
Structural Independence
CertPro does not provide the compliance tools, software, or advisory services that we audit against. There is no financial relationship that could compromise objectivity — our conclusions are derived solely from documented evidence.
Evidence-Based Methodology
Every audit conclusion is supported by sufficient and appropriate evidence. CertPro does not estimate, assume, or extrapolate — each control is tested against defined criteria through inquiry, inspection, observation, and re-performance.
Credentialed Engagement Team
Every SOC 2 engagement is led by a named Certified Public Accountant, supported by CISA-certified information systems auditors and ISO Lead Auditors. Credentials are aligned to the frameworks and criteria under examination.
Transparent Communication
Audit findings are communicated in clear, actionable language — not dense technical reports. Every deviation is documented with severity classification, root cause analysis, and a defined corrective action pathway.
Multi-Jurisdiction Coverage
With audit professionals across the USA, India, UK, Oman, Lebanon, and Ghana, CertPro serves organisations in every major technology market — conducting remote examinations in accordance with AICPA standards.
SOC 2 Examination — Key Questions
A Type I report provides an independent assessment of whether controls are suitably designed at a specific point in time. A Type II report evaluates both design and operating effectiveness over a defined period of at least six months. Most enterprise and regulated buyers require Type II as it provides evidence of sustained control performance, not merely design intent.
A Type I examination typically spans 4–6 weeks from engagement commencement. A Type II engagement requires a minimum six-month observation period, with the examination and report issuance typically completed within 4–6 weeks following the period end. CertPro's average Type II timeline is 6–8 months from initial scoping.
No. The Security criterion (Common Criteria) is mandatory for all SOC 2 engagements. The remaining four — Availability, Confidentiality, Processing Integrity, and Privacy — are included based on the nature of the services provided and the assurance requirements of your stakeholders. CertPro determines the appropriate scope during the planning phase.
CertPro is a licensed CPA firm — we perform and issue SOC 2 attestation reports directly under AICPA SSAE 18, without requiring a co-signing CPA. Many firms operating in this space are consultancies, not licensed CPA firms. CertPro's engagements are conducted by credentialed CPAs, CISAs, and Lead Auditors, applying structured evidence-based methodology on every engagement.
The examination involves four structured phases: system boundary scoping and engagement planning; readiness assessment and control gap identification; evidence-based control testing through inquiry, observation, inspection, and re-performance; and CPA review, attestation, and report issuance. Each phase is documented in accordance with AICPA professional standards.
Yes. CertPro's pre-built documentation framework addresses the majority of policy and procedure requirements under the SOC 2 criteria. A structured readiness assessment in the early phases of the engagement identifies control gaps and supports remediation prior to formal testing — enabling organisations at varying maturity levels to prepare effectively for examination.
Ready to Achieve Compliance
Without the Headache?
Schedule a free 30-minute scoping call with a CertPro expert. We'll identify the right framework, estimate your timeline, and give you a clear roadmap — no commitment required.