Can I issue my own SOC 2 report?

No. SOC 2 reports can only be issued by independent CPA firms licensed in the United States. The AICPA explicitly defines SOC 2 as an attestation engagement under AT-C Section 205, which requires an independent practitioner. Self-issued reports are not SOC 2 reports.

Are GRC platforms (Vanta, Drata, Sprinto) considered auditors?

No. GRC platforms are software. They automate evidence collection and policy management. A real SOC 2 audit is performed by a separate CPA firm, regardless of which platform you use. Some platforms ship auditor marketplaces to streamline the handoff, but the audit engagement itself is always with a separate firm.

What if my customer accepts a self-attestation?

Then you are buying time, not skipping the audit. Self-attestations are useful for SMB customers and early diligence but are typically rejected by enterprise procurement teams. Ship the self-attestation now, plan for a real SOC 2 Type II within 12 months once enterprise demand materializes.

Can I do SOC 2 with just a consulting firm and no CPA?

No. Consulting firms can help you prepare. They cannot issue the report. Only a CPA firm with an active license can sign the auditor's opinion section — that signature is what makes the report a SOC 2 report.

DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

Can I Do SOC 2 Without an Auditor? (Non-US CPAs Too)

By Editorial team · Published 2026-04-26 · Last updated 2026-06-13

No. A SOC 2 report only exists if a licensed CPA firm issues it. Anything else is a self-attestation, which most enterprise buyers will reject.

Short answer: no. SOC 2 is an attestation engagement under AICPA AT-C 205. By definition, only a licensed CPA firm can perform it and issue a report. Anything else is something else — useful, sometimes, but not SOC 2.

Why the auditor is structurally required

SOC 2 is regulated by the AICPA, the same professional body that regulates financial audits. The framework requires an independent third-party CPA who: holds an active state CPA license, follows AICPA SSAE 18 attestation standards, carries professional liability insurance, and is subject to AICPA peer review every three years. This structure is what makes a SOC 2 report meaningful to enterprise buyers — there is a licensed party whose practice can be sanctioned if they sign off on bad work.

Things that look like SOC 2 but are not

GRC platform 'audit-ready' badges (Vanta, Drata, Sprinto, Secureframe). These show your controls are mapped and evidence is collected — they are not a SOC 2 report.
Self-attestations published on a trust center. Useful for early-stage diligence; not equivalent to SOC 2.
Internal security audits by your own team. Independent CPA review is required by definition.
Penetration test reports. Different scope, different framework. Often required alongside SOC 2 but not a substitute.
ISO 27001 certificates. Different framework, different audience. See our SOC 2 vs ISO 27001 guide.

What you can do without an auditor

Run a readiness assessment against the SOC 2 Trust Services Criteria. Most GRC platforms ship this out of the box.
Implement controls — access reviews, vendor risk, encryption, change management, incident response — and collect evidence on autopilot.
Issue a self-attestation or trust center page describing the controls in plain English. This satisfies many SMB diligence requests.
When enterprise demand triggers it, hire a CPA firm to convert your accumulated evidence into an actual SOC 2 Type I or Type II report.

Pre-audit: how long the platform-only state lasts

Most startups run 6 to 18 months on a GRC platform without a real SOC 2 report — long enough to satisfy investors, channel partners, and SMB customers. The trigger to actually engage an auditor is usually a single enterprise deal worth more than the cost of the audit. Once you cross that threshold, the math is straightforward: an audit costs $15,000 to $40,000 all-in for a startup, and the deal it unlocks is typically worth multiples of that.

Choosing the auditor when the time comes

Boutique CPA firms (Prescient Assurance, Insight Assurance, BARR Advisory, Johanson Group) typically charge $12,000 to $25,000 for a SOC 2 Type II at startup scale. Mid-tier firms (Schellman, A-LIGN) charge $30,000 to $60,000. Big Four firms (Deloitte, PwC, KPMG, EY) start above $80,000 and are rarely the right call for a first audit. We have a separate guide on how to choose between them.