DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

Can a non-US CPA firm issue a SOC 2 report? (2026)

By Editorial team · Published · Last updated

A true SOC 2 attestation must be issued by a US-licensed CPA firm enrolled in AICPA Peer Review. Non-US firms issue ISAE 3000 reports — the functional equivalent under IAASB standards. Here is what the distinction means for your buyer.

A non-US CPA firm cannot issue a SOC 2 report bearing AICPA attestation language. SOC 2 is an AICPA service performed under SSAE 18 (AT-C Section 205), and only US-licensed CPA firms enrolled in the AICPA Peer Review Program can sign that report. Non-US chartered accounting firms — in the UK, India, Israel, Canada, Australia — use ISAE 3000 instead, the IAASB's global counterpart. The two reports are functionally comparable. They are not technically the same.

SOC 2 vs ISAE 3000 — what is actually different

Why the distinction exists at all

The AICPA Code of Professional Conduct carves out a narrow allowance for members practicing outside the US: a member is not in violation of AICPA rules 'as long as the member's conduct is in accordance with the rules of the organized accounting profession in the country in which he or she is practicing.' That carve-out covers the member's own ethics — it does not authorize a non-US firm to sign a report bearing SSAE 18 attestation language. State boards of accountancy enforce CPA licensure on a state-by-state basis; the Uniform Accountancy Act Section 7 says 'attest services may only be rendered through firms holding permits from the state.'

When ISAE 3000 is the right answer

When you should insist on a US CPA firm signing

The cookie-cutter SOC 2 problem (June 1, 2026 AICPA crackdown)

On May 14, 2026, the AICPA Peer Review Board announced that beginning June 1, 2026, peer reviewers must apply heightened scrutiny to firms with high-volume SOC 2 practices — particularly those using third-party automation platforms to scale engagements. Per the Journal of Accountancy: SOC 2 engagements that are not tailored to each client's specific risks may be classified as 'nonconforming.' This is an enforcement signal that applies to US CPA firms — but it raises the bar for what a defensible SOC 2 report looks like in 2026.

Group audits and foreign component auditors

AICPA Code of Professional Conduct addresses one more nuance: when a US-signing firm relies on a foreign component auditor in a group engagement, that foreign component auditor's conduct must meet the IESBA Code of Ethics for Professional Accountants as a minimum. This is how global firms (Big Four and major networks) handle multi-country SOC 2 engagements — US member firm signs, local member firm performs fieldwork in jurisdiction, IESBA ethics standards bridge the gap.

Common misconception: 'AICPA-accredited firm'

There is no AICPA accreditation for CPA firms. The AICPA enrolls firms in its Peer Review Program — that enrollment is a prerequisite for performing attestation engagements, but it is not an accreditation. Firms are licensed by their state boards of accountancy. Some vendor sites use the phrase 'AICPA-accredited firm' loosely. The technically precise framing is: 'a US-licensed CPA firm enrolled in the AICPA Peer Review Program.'

Practical answer for buyers

  1. If you are buying from a US-based SaaS vendor: expect a SOC 2 report signed by a US CPA firm. Verify the signing partner's state license and the firm's AICPA Peer Review status.
  2. If you are buying from a non-US vendor: ask for either an ISAE 3000 report or a SOC 2 issued by their global firm's US member firm. Either is acceptable; both should reference Trust Services Criteria.
  3. If your procurement language says 'SOC 2 required' and you accept international vendors, change the language to 'SOC 2 or ISAE 3000 with Trust Services Criteria.' This avoids artificial procurement blockers.
  4. If a vendor sends you a report labeled 'SOC 2' but signed by a firm with no US presence and no AICPA peer review enrollment, that report should not be relied on as a SOC 2.