This is a unified, executive-level summary designed for immediate use in an internal wiki, project charter, or compliance plan. It outlines the professional requirements for the auditor, the specific team members you need, and the final deliverables.
Under AICPA standards, a SOC audit is a formal "attestation engagement." To be valid, your auditor must meet the following three requirements:
- Licensed CPA Firm: Only a licensed Certified Public Accountant (CPA) firm accredited by the AICPA (American Institute of Certified Public Accountants) is authorized to issue a SOC 2 or SOC 3 report. Non-CPA firms can only perform "readiness assessments."
- Professional Independence: The auditing firm must be strictly independent. They cannot have built your systems, managed your security, or had a financial interest in your company.
- Regulatory Standing: The firm must undergo a Peer Review every three years to verify that their auditing practices meet the AICPA’s Peer Review Program standards.
A successful audit requires participation from five key areas of the business:
- Executive Sponsor (CEO/CTO/CISO): Signs the "Management Assertion," confirming the system description is accurate and controls were functional.
- Compliance Lead (GRC or DevOps Mgr): Serves as the primary Point of Contact (POC) for the auditor and manages the evidence collection platform.
- Engineering & DevOps (Technical Leads): Responsible for producing technical evidence, such as CloudTrail logs, GitHub PR histories, and Terraform configurations.
- Human Resources (HR Manager): Provides evidence for personnel controls, including background checks, confidentiality agreements, and termination logs.
- Legal / Procurement: Manages vendor risk by collecting SOC reports from sub-service providers (e.g., AWS, GCP, Snowflake) and reviewing client SLAs.
To complete the audit, the following documents must be generated and presented to the CPA firm:
- The System Description (DC 200): A comprehensive 20-50 page document detailing the boundaries of your system, your tech stack, and how your controls meet the Trust Services Criteria.
- The Control Matrix: A mapping of your specific internal actions (e.g., "Daily vulnerability scans") to the official AICPA Trust Services Criteria (TSC).
- The Evidence Package (The "Receipts"): Screenshots, CSV exports, and system logs that prove each control operated consistently during the audit window.
- The Management Assertion: A formal letter from your leadership declaring that your internal controls are designed and operating effectively.
| Feature | SOC 2 (Restricted Report) | SOC 3 (Public Report) |
|---|---|---|
| Audience | Customers, Prospects, Auditors (Under NDA) | General Public, Marketing Website |
| Level of Detail | High (Includes full testing results and findings) | Low (Opinion only; no sensitive details) |
| Usage | Security Due Diligence / Vendor Risk | Brand Trust / Marketing "Seal of Approval" |
| Audit Work | The actual audit. Full testing of all controls. | None. It is a summary derived from the SOC 2 audit. |
- AICPA Trust Services Criteria (TSC): The official requirements for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
- AICPA Description Criteria (DC 200): The mandatory checklist for what must be included in your System Description document.
- AICPA Professional Standards (AT-C 205): The legal standards for how a CPA must conduct an examination engagement.