How Do You Verify Your SOC 2 Auditor’s AICPA Membership? (and what membership actually means)

Most SOC 2 guidance tells you to “verify AICPA membership” and stops there. That’s not enough. AICPA membership is voluntary — it’s a trade association, not a licensing body. The legal authority to issue a SOC 2 report comes from a state CPA license and peer review enrollment, both of which exist independently of AICPA membership. This article walks through a four-step verification flow and explains exactly what you are and aren’t checking at each step.

What is AICPA membership and why does it matter for SOC 2?

The American Institute of CPAs is the professional body that promulgates the standards governing SOC 2 engagements. SOC 2 reports are issued under SSAE 18 (now updated through SSAE No. 22) and the AICPA Trust Services Criteria. When a firm is an AICPA member, it agrees to operate under those standards, participate in the AICPA Peer Review Program, and submit to AICPA ethics enforcement if complaints arise.

That said, AICPA membership is not a government-issued license. Any CPA firm can choose not to join the AICPA and still hold a valid state CPA license. The inverse is also possible: a firm can be an AICPA member and simultaneously fail peer review, which would make their ability to accept new attest engagements questionable under many state board rules.

For SOC 2 specifically, the combination that actually matters is:

1. Active state CPA license — issued by a state board of accountancy, not the AICPA
2. Enrollment in a recognized peer review program — the AICPA Peer Review Program is the dominant one
3. No active suspension at the state board or the peer review administrator
4. Most recent peer review opinion of Pass (or Pass with Deficiency, provided the deficiency does not relate to attest-engagement quality)

AICPA membership correlates strongly with all four conditions because AICPA member firms are required to enroll in peer review. But the verification task is to confirm the underlying conditions, not just the membership.

For more on what qualifications a firm must hold before it can take on a SOC 2 engagement — including what active AICPA membership actually requires — see our broader auditor qualification baseline.

How do you check if a firm is an AICPA member in 2026? (the four-step verification flow)

Each step provides a different type of assurance. Running all four takes under thirty minutes for any firm that is legitimate.

Step 1: Verify the state CPA license

The CPA license is the legal foundation. NASBA maintains CPA Verify, a searchable database that aggregates license records from most state boards. Search by firm name or license number and confirm:

• License status is active (not expired, suspended, or revoked)
• The licensee includes the firm entity, not just an individual
• The license covers attest engagements (some states issue separate attest authorizations)
• No disciplinary actions are listed

If the firm operates across multiple states, the home-state license governs under NASBA’s mobility rules, which allow CPA firms licensed in good standing in one state to practice temporarily in others. Confirm the home-state license is active; you do not need to verify every state separately.

The firm should be able to produce its CPA license number on request without hesitation. If it cannot, stop here.

Step 2: Check AICPA member directory

Search the AICPA member directory at aicpa-cima.com/directories by firm name. AICPA membership confirms the firm has agreed to operate under AICPA professional standards and peer review requirements. It is a useful signal, particularly for smaller firms that may not appear prominently in search results.

A firm that appears here is committed to the standards under which SOC 2 reports are issued. A firm that does not appear here warrants additional scrutiny — specifically, confirmation of peer review enrollment through an alternative program.

Note that the AICPA directory is a membership roster, not a quality certification. Presence in the directory confirms the firm paid dues and agreed to membership terms; it does not confirm the outcome of the most recent peer review.

Step 3: Look up the firm in the AICPA Peer Review Public File

This is the most substantive check. The AICPA Peer Review Public File shows enrollment status and accepted peer review documents for firms enrolled in PCPS, EBPAQC, GAQC, or those that voluntarily requested public listing.

Search by firm name and look for:

• Enrollment status: Confirmed enrolled. If the firm is not listed, ask them directly whether they are enrolled through a state society program and request documentation.
• Date of most recent accepted review: Should be within three years. Firms performing attest engagements are subject to a three-year peer review cycle.
• Peer review opinion: There are three opinion types — Pass, Pass with Deficiency, and Fail. A Pass is the cleanest result. A Pass with Deficiency requires you to understand what the deficiency covered — a finding related to attest-engagement quality is a material concern; a finding related to administrative documentation is less so. A Fail disqualifies the firm for your engagement until remediation is confirmed. The detail on how to read a peer review opinion is covered in a companion article.
• Acceptance letter: Download it. The acceptance letter from the peer review administrator confirms the review was completed and accepted. Its absence may indicate the review cycle is incomplete.

The AICPA Peer Review Program contact is 919.402.4502 / prsupport@aicpa.org if you need to confirm status directly.

Step 4: Apply the red-flag review and ask in writing

Cross-reference your findings from steps 1–3 against the red-flag list in section 7 below. Any flag that surfaces requires a written response from the firm before the engagement proceeds. Section 8 provides a template for the specific questions to send.

The output of this four-step flow is either a clean bill of health or a documented exception. If clean, wire the key license number and peer review acceptance letter into your vendor risk file. If not clean, the written-question template in section 8 gives you the right language to get answers on record.

What is the difference between AICPA membership, state CPA licensure, and peer review enrollment?

These three concepts are frequently conflated, and the confusion creates real due-diligence gaps.

State CPA licensure is issued by a state board of accountancy — a government agency, not a private body. It is the legal basis for the firm’s authority to issue attest reports. Without it, no SOC 2 report issued by that firm carries any legal standing. State boards can suspend or revoke licenses based on disciplinary actions, continuing education failures, or ethics violations. The state-by-state CPA licensure rules for SOC 2 auditors vary, including whether a firm must obtain a separate attest authorization.

AICPA membership is a private, voluntary agreement between the firm and the AICPA. By joining, the firm agrees to uphold AICPA professional standards — including SSAE 18 for attestation engagements — and to participate in the Peer Review Program. AICPA can discipline members and revoke membership, but it cannot revoke a state CPA license; that power sits with the state board.

Peer review enrollment is the most operationally significant of the three for SOC 2 buyers. Many state boards require firms performing attest engagements to be enrolled in a peer review program, and those that are AICPA member firms are required to enroll by their membership terms. The peer review itself is a third-party quality inspection of the firm’s attest work, conducted every three years. The outcome — Pass, Pass with Deficiency, or Fail — is the closest thing to a direct quality signal available to buyers.

The relationship between the three: state licensure is the floor, peer review enrollment is the standard quality gate, and AICPA membership is the professional-association layer that bundles the two. You need to verify all three independently because they can come apart.

What happens if a firm’s AICPA membership lapses mid-engagement?

AICPA membership lapse is rare for active attest firms — the annual dues process makes it a deliberate decision, not an accidental one. But it does happen during mergers, breakups, and financial distress. The implications depend on whether the lapse is only from AICPA membership or also from peer review enrollment.

If only AICPA membership lapses, the firm retains its state CPA license and may remain enrolled in peer review through a state society program. The engagement can continue under the state license. The firm should notify you of the lapse and confirm its peer review status has not changed.

If peer review enrollment also lapses, the risk is sharper. Several state boards prohibit firms with lapsed peer review from performing new attest work until enrollment is reinstated and a review is scheduled. A SOC 2 engagement that crosses such a lapse creates questions about whether the report was issued by a firm in good standing at the time of issuance.

The prudent mitigation is in the engagement letter: require the firm to represent, as of the report date, that its CPA license is active, that it is enrolled in a peer review program, and that no suspension or restriction is in effect. If anything changes mid-engagement, the firm must notify you within a defined number of days. The SOC 2 bridge letter covers what to do when firm status changes relative to the observation period.

Which non-AICPA firms can legitimately issue SOC 2 reports? (international engagements, IFAC recognition)

This scenario arises most commonly when a company’s infrastructure, data processing, or key business processes involve non-US entities that must be included in the SOC 2 scope. A European subsidiary on AWS Frankfurt, a development team in India, or a data center in Singapore can all fall within scope.

For those engagements, it is common for the US-licensed lead auditor to engage an IFAC-member firm in the relevant jurisdiction to perform on-the-ground testing. IFAC membership indicates adherence to International Standards on Quality Management and ISA 600 group audit standards, which are recognized by AICPA as a basis for relying on component auditor work.

The critical distinction: the IFAC-member firm acts as a component auditor. The group auditor — the firm whose name appears on the SOC 2 report — must be a licensed US CPA firm enrolled in AICPA Peer Review. If a non-US firm claims to issue standalone SOC 2 reports without a US CPA firm as the signing entity, that report does not conform to SSAE 18 and will not be accepted by sophisticated buyers or downstream auditors.

Questions to ask when an international firm is involved: What is the name of the US-licensed CPA firm that will sign the report? What IFAC-member firm, if any, is performing component testing? What is the lead auditor’s methodology for supervising and integrating component auditor work?

What red flags suggest a firm is misrepresenting its AICPA standing?

These are concrete and testable, not general caution about “doing research”:

1. The firm cannot produce its CPA license number on request. A licensed CPA firm has this number readily available. Hesitation or inability to produce it is a hard stop.

2. The firm uses the phrase “AICPA certified.” The AICPA does not certify firms. The correct language is AICPA member firm or AICPA Peer Review enrolled. Firms that use “certified” are either unaware of the distinction or are deliberately inflating their credentials.

3. The signing entity is an LLC without “CPA” or “PC” in the legal name. The engagement letter must come from a licensed CPA firm. An LLC that lacks a CPA firm designation in its name may be a consulting entity, not an attest firm. Verify that the legal name of the signatory matches the licensed entity in the state board records.

4. The firm refuses to provide its peer review report. A firm with a clean peer review record has no reason to withhold this document. The AICPA Peer Review Public File makes enrolled firms’ most recent reviews publicly available. Refusal to share a peer review report, or claims that it is “confidential,” is a red flag.

5. The peer review file shows Fail or Pass with Deficiency related to attest engagements. A Fail opinion disqualifies the firm. A Pass with Deficiency requires scrutiny: a deficiency in engagement documentation or internal administrative processes is less concerning; a deficiency directly tied to the quality of attest work — including sampling, evidence evaluation, or opinion formation — is disqualifying until a remediation letter is on file and accepted.

6. The firm describes itself as a “consultancy” or “compliance advisor.” These entities are not authorized to issue SOC 2 reports under AICPA AT-C 205. A SOC 2 report issued by a non-attest entity is not a valid SOC 2 report, regardless of how it is formatted. Many compliance platforms and readiness consultants produce SOC 2-adjacent documentation; none of them can issue the attested report itself.

What should you ask the auditor in writing before signing?

These seven questions correspond directly to the verification steps and red flags above:

1. “Please confirm the legal name of the CPA firm that will sign our SOC 2 report and provide its CPA license number, the issuing state board, and the license expiration date.”

2. “Is your firm currently enrolled in the AICPA Peer Review Program? Please provide your enrollment ID and the date of your most recent accepted peer review.”

3. “Please share the public-file link or PDF of your most recent peer review report and any acceptance or remediation letters.”

4. “Has your firm or any partner been subject to license suspension, restriction, or AICPA ethics enforcement action in the last five years? If yes, please describe.”

5. “Does your firm operate under AICPA AT-C 205 attestation standards for SOC 2 engagements? Please confirm in the engagement letter.”

6. “If our engagement spans the firm’s next peer review cycle, what is your plan if a finding affects your ability to continue attest work?”

7. “For non-US subsidiaries in scope, will any portion of the engagement be performed by an IFAC-equivalent firm? If so, please name the firm and confirm independence.”

A firm with clean standing will answer all seven without friction. The engagement letter should incorporate the license number, peer review enrollment ID, and confirmation of AT-C 205 applicability as representations. These terms protect you if the firm’s status changes mid-engagement or if the report is later challenged.

For the fuller rubric on selecting a firm — pricing, vertical specialization, team size, and timeline — see our broader auditor selection rubric. For how we run this verification process across all 126 firms in the directory, see our verification methodology. Every firm listed in our SOC 2 auditor directory has been checked for active CPA license in at least one US state, peer review enrollment, no active suspension, and a most recent peer review opinion of Pass or Pass with Deficiency (noted).

Frequently asked questions

How do you verify a SOC 2 auditor is an AICPA member?

Search the AICPA member directory by firm name. AICPA membership alone is not sufficient — confirm that the firm is also enrolled in the AICPA Peer Review Program and holds an active CPA license in at least one US state, both of which are independently verifiable through the Peer Review Public File and NASBA respectively.

Is AICPA membership required to issue a SOC 2 report?

No. AICPA membership is voluntary. The legal requirements are an active state CPA license and enrollment in a peer review program. A firm that is peer-review enrolled but not an AICPA member can technically issue a SOC 2 report, though AICPA membership is strongly correlated with program participation and adherence to SSAE 18 standards. In practice, nearly all active attest firms are AICPA members.

What is the AICPA Peer Review Public File?

The AICPA Peer Review Public File lists enrollment status and accepted peer review documents for firms enrolled in PCPS, EBPAQC, GAQC, or those that voluntarily requested public listing. It shows the firm’s most recent peer review opinion — Pass, Pass with Deficiency, or Fail — and any associated acceptance letters. Peer reviews occur on a three-year cycle for firms performing attest engagements.

What happens if a SOC 2 auditor’s AICPA membership lapses mid-engagement?

Lapsed AICPA membership does not automatically void an engagement, but it raises questions about peer review continuity. If the firm’s peer review enrollment lapses concurrently, the firm may lose authority to accept new attest engagements under state board rules. Review your engagement letter for representations about license and enrollment status, and request a bridge letter confirming standing if you have any concern about a gap.

Can a non-US firm issue a SOC 2 report?

SOC 2 is an AICPA-promulgated US standard governed by SSAE 18. Non-US firms that are IFAC members can perform fieldwork as component auditors under reciprocal agreements, but the signing firm must hold a valid US CPA license and be enrolled in the AICPA Peer Review Program. The US-licensed lead auditor retains primary responsibility for the report opinion and must supervise and integrate all component auditor work.

What are the red flags that a firm is misrepresenting its AICPA standing?

Key red flags: the firm uses the phrase “AICPA certified” (AICPA does not certify firms); the signing entity is an LLC without a CPA or PC designation; the firm cannot produce its CPA license number on request; the firm refuses to share its peer review report; the AICPA Peer Review Public File shows a Fail or a Pass with Deficiency related to attest-engagement quality; the firm describes its work as consulting rather than attestation under AICPA AT-C 205. Any one of these should pause your evaluation until resolved in writing.