Is SOC 2 a certification?

No. SOC 2 is an attestation engagement under AICPA standards. A CPA firm examines your controls and issues a report containing their opinion. There is no certifying body, no certificate, and no pass/fail in the way certifications work.

Why do so many companies say 'SOC 2 certified'?

It's shorter and more familiar than 'we received an unqualified opinion on our SOC 2 Type II examination.' Marketing language drifts toward what's understood, even when it's technically inaccurate. In contracts and security questionnaires, the precise language matters.

There's no formal 'fail.' If your controls aren't effective, the auditor issues a qualified or adverse opinion, or notes exceptions. The report still exists and gets shared with customers, who then evaluate the severity of the exceptions.

How long is a SOC 2 valid?

A SOC 2 report covers a stated period (Type I = a date, Type II = typically 3 to 12 months). There's no formal expiration. The industry treats reports older than 12 months as stale and customers will ask for a bridge letter or a new report.

DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

SOC 2 is an attestation, not a certification — AICPA

By Editorial team · Published 2026-04-26 · Last updated 2026-06-13

AICPA SOC 2 is an attestation, not a certification — there's no certifying body, no certificate, and no pass/fail. Here's why that distinction matters in contracts and security questionnaires.

You'll see 'SOC 2 certified' in marketing copy, in security questionnaires, and even in contracts. It's technically incorrect every time. SOC 2 is an attestation engagement under AICPA standards. There is no certifying body, there is no certificate, and there is no binary pass/fail — your report contains an opinion from a CPA firm.

What's the actual difference?

What an attestation engagement actually is

Under AICPA AT-C Section 205, a CPA firm performs an examination of management's written assertion about the design (Type I) or design and operating effectiveness (Type II) of controls against the Trust Services Criteria. The result is a formal report with the firm's opinion. The firm stakes its license on that opinion and carries professional liability for it.

Why the wording matters

Procurement and legal teams care about precise language. 'Certified' implies an issuing body that doesn't exist for SOC 2 and can be flagged as a misrepresentation.
Auditors can issue qualified opinions or list exceptions. You can have a SOC 2 report with material exceptions and still 'have' a SOC 2 — that's not how certifications work.
The opinion type matters. An unqualified (clean) opinion is the goal. A qualified opinion notes specific exceptions. An adverse opinion or a disclaimer is rare but possible. 'SOC 2 certified' obscures all of this.
In a security questionnaire that asks 'Are you SOC 2 certified?', the technically accurate answer is: 'SOC 2 is an attestation, not a certification. We have a SOC 2 Type II report covering [period] with an unqualified opinion from [firm].'

The four possible auditor opinions

Unqualified (clean) — controls are suitably designed and (for Type II) operated effectively. This is what 'passing' looks like in everyday language.
Qualified — controls are generally effective, but the auditor identifies specific exceptions. The report still gets issued.
Adverse — controls are not suitably designed or did not operate effectively. The report exists but communicates failure.
Disclaimer — the auditor couldn't gather enough evidence to form an opinion. Rare in practice.

Who can perform a SOC 2 examination

Only a licensed CPA firm. Not a security consulting firm, not a managed services provider, not a compliance platform. The CPA firm has a license that can be sanctioned, professional liability insurance, and AICPA peer review obligations. This is the structural reason SOC 2 is more rigorous than self-attestations or unaccredited 'certifications.'