SOC 2 reports must be performed by a licensed CPA firm authorized to issue SOC reports. Readiness assessments can be conducted by non-CPA consultants or internal teams, but only a licensed CPA firm can issue the actual SOC 2 attestation report. The AICPA maintains guidance on selecting a qualified audit firm.
Keep Exploring