How Does AICPA Peer Review Affect SOC 2 Audit Firm Quality?

Most SOC 2 buyers verify peer review by confirming a firm is enrolled and stopping there. Enrollment is necessary but not sufficient. The actual quality signal is in the opinion — Pass, Pass with Deficiency, or Fail — combined with what the scope letter shows was sampled. A Pass with Deficiency on SOC engagement performance is a different risk from a Pass with Deficiency in CPE record-keeping. This article gives you the decision framework to tell them apart and the exact steps to pull the file yourself.

What is the AICPA Peer Review Program and who runs it?

There are two peer review types. An Engagement Review covers compilation and preparation engagements. A System Review evaluates the firm’s entire quality control system and tests a cross-section of engagements against it. SOC 2 engagements are attest work under AT-C 205, which means any firm performing them must undergo System Reviews. If a firm’s most recent review was an Engagement Review, that is a gap worth questioning before you engage them.

The AICPA Peer Review Board sets standards and oversight for the program. Day-to-day administration runs through state CPA societies for most firms and the National Peer Review Committee for larger national and international firms. The administering entity is the one that accepts or rejects the completed review — its acceptance letter is the document you want on file.

Peer reviewers are other CPA firms in good standing. A firm with a most-recent rating of Pass with Deficiency or Fail is not eligible to perform peer reviews of other firms — so a deficient firm cannot launder its record by becoming a reviewer.

For the baseline qualification requirements beyond peer review — including what a Pass vs. Pass-with-Deficiencies result tells a buyer — see the broader auditor qualification overview.

How do you find a SOC 2 firm’s peer review report?

The AICPA Peer Review Public File is the authoritative source. The search accepts firm name, city, and state. Use the legal entity name first; if the firm operates under a DBA, try both.

What to collect from the public file:

• Enrollment status. Confirmed enrolled. If the firm is not listed, ask directly whether they are enrolled through a state society program and request documentation.
• Review date. The end date of the period covered by the most recent accepted review. Older than three years from today means the firm is overdue.
• Opinion type. Pass, Pass with Deficiency, or Fail. Click through to the full acceptance letter.
• Scope letter. A separate document from the acceptance letter. It lists which engagement types were sampled — this is what tells you whether SOC engagements were actually examined.
• Letter of response. Present when the opinion is Pass with Deficiency. Its presence — and the administering entity’s acceptance of it — is part of your evaluation.

Firms in PCPS, EBPAQC, or GAQC have documents publicly listed automatically. Firms outside those programs may have non-public reports but can voluntarily share them. The AICPA Peer Review Program can be reached at 919.402.4502 or prsupport@aicpa.org to confirm ambiguous status.

What does each peer review opinion mean for SOC 2 buyers? (Pass / Pass with Deficiency / Fail)

The AICPA defines the three opinions with language that has operational meaning for buyers.

Pass: “The firm’s system of quality control is suitably designed and complied with to provide the firm with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects.” At the engagement level: nothing came to the reviewer’s attention indicating that engagements were nonconforming.

Pass with Deficiency: “Except for the deficiencies described, the system of quality control has been suitably designed and complied with to provide the firm with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects.” At the engagement level: at least one — but not all — of the engagements submitted for review was nonconforming. The word “except” is load-bearing. The system is functional, but specific weaknesses were identified.

Fail: “The system of quality control was not suitably designed or complied with to provide the firm with reasonable assurance of performing and reporting in conformity with applicable professional standards in all material respects.” At the engagement level: all engagements submitted for review were nonconforming.

The engagement-level distinction matters: Pass with Deficiency means some nonconforming work; Fail means every engagement examined was nonconforming — the system-level failure is total, not partial.

The AICPA’s “Common Peer Review Deficiencies for SOC 1 and SOC 2 Engagements” catalogs the deficiency types most frequently found in SOC engagements — useful when you are evaluating what a specific firm’s deficiency actually involved.

When is “Pass with Deficiency” actually fine — and when is it disqualifying?

The distinction between acceptable and disqualifying comes down to four questions: What was deficient? In what engagement type? Has it been remediated? Has it repeated?

Acceptable patterns:

1. CPE or training documentation gaps. Staff records were incomplete. This is administrative — it does not mean staff lacked training, only that the documentation trail was weak. Engagement quality is unaffected.

2. Documentation completeness issues that don’t reflect engagement substance. Workpaper organization, file retention, or evidence indexing failures where the underlying procedures were performed correctly.

3. Deficiencies confined to an unrelated engagement type. A deficiency in employee benefit plan audits — confirmed by the scope letter as separate from SOC work — does not speak to SOC quality.

4. Remediated deficiency with accepted follow-up documentation. The firm’s letter of response describes corrective actions, and the administering entity has issued documentation confirming acceptance. The deficiency existed, it was fixed, and the fix was verified.

Disqualifying patterns:

1. Deficiencies in SOC engagement performance. The reviewer found SOC engagements nonconforming — citing sample selection, evidence sufficiency, opinion language, or system description accuracy.

2. Independence violations. Any finding that the firm failed to maintain independence from an attest client. Non-negotiable.

3. Repeat deficiencies across review cycles. The same deficiency appears in the current and prior review — the root cause was not remediated.

4. Engagement-level Fail for SOC work. A system-level Pass with Deficiency combined with an engagement-level Fail for SOC engagements is disqualifying regardless of what the system-level language says.

5. No remediation letter on file. Pass with Deficiency without an accepted letter of response means the deficiency is unresolved.

For the program’s own severity guidance, see the AICPA peer review standards and the AICPA Peer Review Q&A PDF.

What does the scope letter tell you that the opinion doesn’t?

The peer review opinion tells you about the firm’s overall quality control system. The scope letter tells you which engagements were actually tested. These are not the same thing.

A diversified accounting practice that does financial-statement audits, benefit plan audits, and SOC engagements may have its peer review sample weighted toward higher-volume work. If the reviewer sampled five financial-statement audits and no SOC engagements, the Pass opinion is accurate about what was tested — but it carries no direct evidence about SOC quality.

What to look for in the scope letter:

• The letter should enumerate engagement types reviewed. Confirm that “examinations” (the AT-C 205 category covering SOC 2) or “system and organization controls engagements” appear in the list.
• If SOC engagements are not listed, ask the firm directly whether they were sampled and request supporting documentation.
• If SOC engagements are listed and the opinion is Pass, you have direct third-party evidence that a qualified reviewer examined actual SOC work product and found it conforming.

For a firm where SOC is the primary revenue line, this is rarely a problem — 200 SOC engagements per year will almost certainly be in the sample. For a generalist firm offering SOC as a secondary line, confirm explicitly.

How often is peer review refreshed and what happens between cycles?

The three-year cycle creates a gap. A firm reviewed in 2024 will not face its next review until 2027 unless something triggers an accelerated review. Between cycles, firms submit annual representations — self-certifications of continued compliance, not independent examinations.

Accelerated reviews can be imposed in response to: a complaint or referral from a state board; a regulatory or enforcement action against the firm; significant firm composition changes from a merger; or prior review findings the administering entity deems insufficiently remediated. Contact prsupport@aicpa.org to ask whether an accelerated review has been triggered for a specific firm.

Standards transition. PRSU No. 2 introduces quality-management provisions effective for peer review years ending on or after December 31, 2025. SQMS (Statement on Quality Management Standards) replaces SQCS (Statement on Quality Control Standards) for engagements performed after December 15, 2025. SQMS is a more risk-based framework — firms must design quality management systems appropriate to their size and practice mix rather than applying a uniform prescription. Reviews conducted under the new standards will assess SQMS implementation; firms that have not addressed the transition may present new deficiency types in their next review.

What questions should you ask if a firm refuses to share its peer review report?

A firm with a clean peer review record has no rational reason to withhold its report.

If the firm claims confidentiality: Reports for firms in PCPS, EBPAQC, or GAQC are publicly accessible. Check the public file at peerreview.aicpa.org/public_file_search.html yourself using the firm’s legal name. If the report is there, the confidentiality claim is false.

If the firm is not in a public-listing program: The report may legitimately be non-public, but firms can voluntarily share with prospective clients — no professional standards provision prohibits it. Refusal in this case is a business decision to withhold quality information. Treat it accordingly.

The written request to send:

“Please provide your most recent peer review report and acceptance letter, including any letter of response and remediation documentation. If your reports are available on the AICPA Peer Review Public File, please share the direct link. If not publicly listed, please provide the documents directly. We require these before executing the engagement letter.”

Send via email so any refusal is documented.

If the firm still refuses: Run the public file search yourself. If the firm appears with a current Pass, their refusal becomes a judgment call about whether you trust a firm making unnecessary confidentiality claims. If the firm does not appear, ask them to document peer review enrollment before you proceed.

For the broader verification flow that puts peer review in context alongside state CPA licensing and AICPA membership, see the full AICPA standing verification guide. For state-board licensing rules that interact with peer review enrollment, see the state CPA licensing requirements overview. For how peer review factors into selecting the right firm overall, see the how to choose a SOC 2 auditor guide. Every firm in our SOC 2 auditor directory has been checked against the public file as part of our verification methodology.

Frequently asked questions

What is the AICPA Peer Review Program and who runs it?

The AICPA Peer Review Program is a mandatory quality-oversight program for AICPA member firms performing attest engagements. It is administered by the AICPA Peer Review Board through state CPA societies and the National Peer Review Committee. Firms performing SOC 2 engagements must undergo System Reviews — not the lighter Engagement Review type — on a three-year cycle.

How do you find a SOC 2 firm’s peer review report?

Search the AICPA Peer Review Public File by firm name. Collect both the acceptance letter (confirming the review was accepted) and the scope letter (showing which engagement types were sampled). For firms not in the public file, request documentation directly and require it before signing the engagement letter.

What does a Pass with Deficiency mean for a SOC 2 engagement?

It means the reviewer found specific weaknesses in the firm’s quality control system but the firm is functioning. Per AICPA language: “except for the deficiencies described, the system of quality control has been suitably designed and complied with.” Whether it is acceptable depends on what the deficiency covered — read the deficiency description and check for an accepted remediation letter before making a judgment.

Can a firm with a Fail rating still issue SOC 2 reports?

The AICPA does not revoke state-licensed attest authority based on peer review outcome alone. But a firm with a Fail has had every engagement examined found nonconforming, and it is ineligible to perform peer reviews of other firms. Engaging a Fail-rated firm until a completed remediation review is accepted by the AICPA is an unreasonable risk for any buyer.

What is the SQMS transition and does it affect my current engagement?

SQMS (Statement on Quality Management Standards) replaces SQCS as the quality management framework for CPA firms. It applies to engagements performed after December 15, 2025, and peer review years ending on or after December 31, 2025. If your observation period spans that date, ask the firm whether it has implemented SQMS. The AICPA peer review standards page has the authoritative transition timeline.

How do I use peer review as one signal among several when selecting a SOC 2 auditor?

Peer review is one of four quality signals — alongside state CPA licensure, AICPA membership, and engagement-specific SOC experience. For the full selection rubric that integrates all four, see the how to choose a SOC 2 auditor guide. For the directory of 126 firms filtered by quality signals, see best SOC 2 auditors.