x.com/RajWebshar/status/2037275484548194320
2 corrections found
licensed by the AICPA
The AICPA develops the SOC framework, but it does not license CPA firms. CPA licenses are issued by state Boards of Accountancy.
Full reasoning
This phrase is inaccurate because the AICPA is not the licensing authority for CPA firms.
Authoritative accounting bodies describe the roles differently:
- NASBA says each jurisdiction's Board of Accountancy "issue[s] licenses to practice" and that licensing is the "sole responsibility" of those boards.
- AICPA describes itself as a professional membership organization of licensed CPAs, not a licensing body.
So while a SOC 2 examination is performed by an independent licensed CPA firm, the firm's license comes from a state board of accountancy, not from the AICPA. The AICPA sets the SOC standards/framework; it does not issue CPA licenses.
2 sources
- Exam Partners - NASBA
Boards of Accountancy have enacted accountancy laws governing the licensing of professional accountants in each state or jurisdiction. These boards issue licenses to practice... neither NASBA nor CPAES regulates or issues licenses... That is the sole responsibility of the Boards of Accountancy.
- Who are the CPA Exam partner organizations? | AICPA & CIMA
The AICPA is an international professional membership organization of licensed CPAs... Boards of accountancy are state/territory entities that have statutory authority to set the requirements and issue CPA licenses.
SOC 2 Type II certified
SOC 2 Type II is not a certification. It is an attestation/examination that results in an auditor’s SOC 2 report.
Full reasoning
This wording is inaccurate because SOC 2 Type II is not a certification status.
Authoritative sources describe SOC 2 as an examination/attestation that produces a report:
- AICPA says "A SOC 2 examination is a report on controls at a service organization..." and repeatedly refers to SOC 2 reports and SOC 2 examinations.
- Microsoft's official compliance documentation likewise calls it a "SOC 2 Type 2 attestation" and says the auditor "renders an opinion in a SOC 2 Type 2 report."
So the accurate phrasing would be that a company has a SOC 2 Type II report or has undergone a SOC 2 Type II examination/attestation — not that it is "SOC 2 Type II certified."
2 sources
- SOC 2® - SOC for Service Organizations: Trust Services Criteria | AICPA & CIMA
A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
- System and Organization Controls (SOC) 2 Type 2 - Microsoft Compliance | Microsoft Learn
A SOC 2 Type 2 attestation is performed under... At the conclusion of a SOC 2 audit, the auditor renders an opinion in a SOC 2 Type 2 report.