x.com/i/status/2037262153195893218
1 correction found
SOC2 certified
SOC 2 is not a formal certification. Under AICPA’s framework, it is an independent CPA examination that results in a SOC 2 report/attestation.
Full reasoning
The phrase “SOC2 certified” is technically incorrect.
Under the AICPA’s own description of SOC 2, a SOC 2 examination is a report on controls at a service organization. In other words, SOC 2 results in an attestation/report by an independent licensed CPA firm, not a certification issued by a certifying body.
Authoritative sources make this explicit:
- The AICPA’s SOC 2 page describes SOC 2 as “an examination” and says “SOC 2 reports” are what organizations receive.
- An AICPA article on SOC services says “A SOC 2® report” provides information to customers and that “A SOC 2® examination can only be performed by an independent, licensed CPA firm.”
- Vanta’s explainer summarizes the same point: there is no official certifying body or pass/fail status for SOC 2; it is an attestation, not a certification.
So while a company may have completed a SOC 2 Type II audit and received a favorable report, calling that status “SOC2 certified” is inaccurate terminology.
3 sources
- SOC 2® - SOC for Service Organizations: Trust Services Criteria | AICPA & CIMA
A SOC 2 examination is a report on controls at a service organization… SOC 2 reports are intended to meet the needs of a broad range of users…
- Authorized Users of Content from the AICPA on SOC Services | AICPA & CIMA
A SOC 2® report is considered by many to be the gold standard… A SOC 2® examination can only be performed by an independent, licensed CPA firm against standards and criteria developed by the AICPA.
- Is SOC 2 a certification or attestation? | Vanta
SOC 2 is an attestation, not a certification: There is no official certifying body or pass/fail status for SOC 2.