What CPA Licensing and State Permit Rules Apply to Your SOC 2 Auditor?

If you’re hiring an out-of-state SOC 2 auditor, three things matter — and only one of them is the individual CPA’s license. The CPA’s individual credential is layer one. The firm’s authorization to issue attest reports in your state is layer two, and it’s the one most buyers miss. AICPA peer review reciprocity is layer three, and it’s the one that almost always works in your favor. This guide combines all three into a single decision flow for buyers, drawing on the 2025 NASBA mobility update and the firm-permit rules that vary by state. For the AICPA membership side of the credential stack, see the AICPA standing verification guide. For peer review opinions and what Pass with Deficiency actually means, see the peer review quality guide.

Does My SOC 2 Auditor Need to Be Licensed in My State?

The short answer is: probably not in the way you’re thinking, but there’s a layer you need to check.

Individual CPA mobility. Under the Uniform Accountancy Act (UAA) Section 23 and the NASBA Substantial Equivalency framework, a CPA who holds an active license in a state that has adopted mobility legislation can practice in other substantially equivalent states without obtaining a second license or filing advance notice. The original “state-based” model required the home state to be on a substantial equivalency list. The 2025 relaunch of CPAmobility.org (discussed in the next section) moves this toward an individual-based assessment — the CPA’s own education, exam, and experience record determines portability, not just whether their home state happens to be on a list.

To verify an individual CPA’s standing, use NASBA’s CPAverify portal (nasbaregistry.org). CPAverify aggregates license data from participating state boards. Confirm the license is active, not suspended, and not restricted. The signing CPA’s license number should appear in the engagement letter before you execute it.

Firm-level authorization. CPA firm mobility rules are not identical to individual mobility rules. Most states follow the individual, but a small number require the firm itself to register before issuing attest reports within their jurisdiction. SOC 2 is an attest engagement under SSAE 18 (AT-C 205), so any state that draws a distinction between attest and non-attest firm mobility applies its stricter rule to your engagement.

This firm-permit question is where many buyers are surprised. They confirm the individual CPA is licensed and stop there. The firm-registration step is separate and is addressed in detail below.

For the broader question of what qualifications to require of any SOC 2 auditor — including why state CPA licensing is checked per signing partner, not per firm — see the auditor certification overview.

What Changed with NASBA Mobility in 2025?

The NASBA CPA mobility system has been in place since the UAA 2000 amendments, but September 2025 brought the most significant structural update in years. On September 22, 2025, NASBA announced the relaunch of CPAmobility.org as a real-time tracking tool showing which of the 55 US licensing jurisdictions have enacted individual mobility, notice-based mobility, or neither. The Journal of Accountancy covered the same development on September 24, 2025, framing it as a shift from the older state-based approach.

NASBA followed up on December 23, 2025, with a broader CPA Licensure Pathways post describing how the individual-based model works in practice.

What “individual-based” means. Under the prior model, a CPA’s home state needed to appear on a substantial equivalency recognition list before the CPA could claim practice privilege elsewhere. The updated model evaluates the CPA directly against the UAA threshold: 150 semester hours of education, passage of the Uniform CPA Examination, and at least one year of public accounting experience. CPAs who meet those requirements individually have a portable credential regardless of whether their home state has formally adopted every provision of the UAA.

“No notice” vs. “notice” mobility. Some states allow CPAs to begin practicing immediately upon arrival (no-notice mobility). Others require the CPA to file a notification with the state board before or shortly after commencing services. Notice requirements are administrative, not substantive — the CPA doesn’t need approval, only to document the engagement. CPAmobility.org now shows which model each jurisdiction uses, updated as laws change.

The NASBA Substantial Equivalency framework and UAA 9th Edition remain the governing documents. UAA Section 23 is the individual mobility provision; Section 7(b) addresses firm permits.

Why this matters for SOC 2 buyers. If your auditor’s firm is headquartered in one state and you’re in another, the individual CPA partner signing the report can almost certainly do so under mobility rules. The question to ask your auditor is: “Are you individually qualified under NASBA Substantial Equivalency, and does your home state have no-notice or notice-based mobility in our state?” Most established SOC 2 firms can answer this in one sentence.

Which States Require an Out-of-State Firm Permit?

This is the section most competitor articles skip. Individual CPA mobility is well documented. Firm-level registration for attest engagements is the less-visible requirement that creates real compliance gaps.

California is the canonical example. The California Board of Accountancy (CBA) requires out-of-state firms that perform attest services for California-based clients to register as Out-of-State Firm Registrants. The registration is not burdensome — it requires proof of licensure in the home state, a designated California-licensed CPA on the engagement, and an application fee — but it is required before the firm issues the attest report, not after. A SOC 2 report signed by an unregistered out-of-state firm for a California-headquartered company is technically non-compliant with CBA regulations.

The practical significance depends on where your company’s operations and systems are located. If your servers and primary operations are in California but your auditor is a New York firm with no California registration, this is a gap worth closing before the report is issued. Ask your auditor directly: “Is your firm registered with the California Board of Accountancy as an Out-of-State Firm Registrant?”

Hawaii imposes a similar firm-permit requirement for out-of-state attest providers. Other states that have historically required firm permits include selected jurisdictions in the South and Mountain West — the specific requirements are best confirmed directly with the relevant state board, as legislative activity in 2024-2026 has produced changes in several jurisdictions.

The pattern across 50 states. Rather than 50 distinct rule sets, the landscape groups into three patterns:

1. Mobility-friendly default (majority of states). Individual CPA mobility extends to the firm. No separate firm permit is required for attest services. The individual CPA may need to file a notice, but the firm can operate on the strength of the individual’s license.

2. Firm-registration states (California, Hawaii, and a small number of others). The firm must register separately before issuing attest reports. Registration is typically straightforward but must precede the engagement.

3. Hybrid states. Individual mobility is available, but attest-specific firm rules impose additional conditions (designated in-state licensed CPA, specific insurance thresholds, or notification to the state board before the engagement commences). Confirm with the specific board before assuming mobility applies fully.

The 15-state reference table below gives the current status for the most common states where SOC 2 engagements arise. For states not in the table, the NASBA State Boards directory and CPAmobility.org are the authoritative sources.

How Does AICPA Peer Review Reciprocity Actually Work?

State boards of accountancy require CPA firms performing attest services to be enrolled in a peer review program. The AICPA Peer Review Program is accepted by virtually every state board as satisfying this requirement. A firm enrolled in the AICPA Program does not need to separately enroll in each state’s own program for each new attest client.

This reciprocity is not automatic — the state board has to have formally accepted the AICPA Program. In practice, all 55 US licensing jurisdictions accept AICPA Program enrollment. The only meaningful exception arises when a state has its own mandatory program and the state board has not updated its rules to cross-accept the AICPA Program, which is rare and becoming rarer.

The PCAOB tangent. SOC 2 is not a PCAOB-regulated engagement. SOC 2 reports are issued under AICPA standards (SSAE 18 / AT-C 205), not PCAOB auditing standards. However, if the same firm also audits public companies registered with the SEC, those engagements fall under PCAOB oversight, and peer review does not apply to PCAOB-registered work — PCAOB inspections replace it for those engagements. This distinction matters for large national firms that do both: their SOC 2 practice remains under AICPA peer review, while their public-company audit practice is inspected by PCAOB. For the detailed carve-out mechanics, see the AICPA peer review guide.

Verifying peer review enrollment for an out-of-state firm. The AICPA Peer Review Public File at peerreview.aicpa.org is not state-specific — it covers AICPA Program enrollment nationwide. Search the firm’s legal name regardless of which state they’re headquartered in. Enrollment status and the most recent accepted peer review opinion are displayed. Cross-state location has no bearing on where in the public file a firm appears.

How Do I Verify Cross-State Authorization Before Signing?

The four-step verification flow for hiring an out-of-state SOC 2 auditor:

Step 1: Individual CPA license in good standing. Go to nasbaregistry.org and search the signing CPA’s name and home state. Confirm: active status, no suspensions, no restrictions, license type is individual CPA (not just a firm record).

Step 2: Mobility authorization in your state. Go to cpamobility.org (relaunched September 2025) and look up the firm’s home state. Determine whether your state has no-notice or notice-based mobility for CPAs from that home state. If notice is required, ask the firm to confirm they have filed it. This step covers individual mobility — proceed to Step 3 for the firm layer.

Step 3: Out-of-state firm permit, if applicable. Ask the firm directly: “Does your firm hold any required firm registrations or permits in our state to perform attest services?” If your company is headquartered in California, ask specifically about California CBA Out-of-State Firm Registrant status. If your operations span multiple states, check the relevant ones in the table below. For states not in the table, contact the state board of accountancy directly.

Step 4: AICPA Peer Review enrollment and opinion. Search peerreview.aicpa.org/public_file_search.html by firm name. Confirm enrollment, that the most recent accepted opinion is Pass (or Pass with Deficiency with an acceptable deficiency type), and that the review is current (within three years). For full guidance on evaluating the opinion and scope letter, see the peer review quality guide.

Professional liability coverage. Some states require out-of-state CPA firms to carry a minimum level of professional liability (errors and omissions) coverage before performing attest services within the jurisdiction. This is separate from licensure — ask the firm for a certificate of insurance confirming coverage limits and that the policy covers attest engagements in your state. Most established SOC 2 firms carry coverage well above any state minimum, but confirming in writing before signing is standard practice.

The written question to send your auditor:

“Please confirm: (1) the name and license number of the signing CPA and their home state; (2) whether your firm has filed any required mobility notice for our state; (3) whether your firm holds any required state firm permit or out-of-state firm registration for attest services in our state; (4) your AICPA Peer Review enrollment status and the date of your most recent accepted review; and (5) proof of professional liability coverage applicable to this engagement.”

Require written responses before executing the engagement letter. Every firm in our SOC 2 auditor directory has been checked against these criteria as part of our verification methodology.

What Are the CPA Licensing Requirements State by State?

The table reflects rules as of April 2026. CPA mobility legislation is active in several jurisdictions; confirm directly with the relevant state board for recent changes. “Consult board” entries indicate that the rule is in a transition period or that the state has conditions that depend on engagement type and client location in ways that require direct verification.

State	Individual Practice Privilege	Out-of-State Firm Permit Required (Attest)	Peer Review Reciprocity	Notes
California (CA)	Yes -- no notice required for individual CPAs meeting substantial equivalency	Yes -- California CBA Out-of-State Firm Registrant required for attest engagements referencing CA-based clients	Yes	Firm registration is the primary gotcha for out-of-state SOC 2 firms. See dca.ca.gov/cba for registration process.
New York (NY)	Yes -- no notice required under NY Education Law Section 7402(3)	No -- NY follows individual mobility; no separate firm permit required for attest	Yes	NY does not have a separate out-of-state firm permit requirement for attest. Individual CPA must be in good standing in home state.
Texas (TX)	Yes -- no notice required; TX Board recognizes substantial equivalency	No -- firm permit not required; individual mobility covers attest	Yes	TX adopted individual mobility; no separate firm registration for attest services required for out-of-state firms.
Florida (FL)	Yes -- notice-based; CPA must file notification with FL Board before commencing services	No -- individual notice covers the engagement; no separate firm permit	Yes	Florida requires the individual CPA to file notice but does not require a separate firm permit for out-of-state attest firms.
Illinois (IL)	Yes -- no notice required; IL has adopted substantial equivalency	No	Yes	Standard mobility-friendly state. Confirm CPA license is active in home state via CPAverify.
Massachusetts (MA)	Yes -- no notice required	No	Yes	MA Board of Public Accountancy follows UAA mobility; no attest-specific firm permit for out-of-state firms.
Washington (WA)	Yes -- no notice required	No	Yes	WA has adopted individual mobility. State Board tracks AICPA Program enrollment as satisfying peer review.
Georgia (GA)	Yes -- no notice required	No	Yes	GA Board of Accountancy adopted substantial equivalency mobility. Standard mobility-friendly posture.
New Jersey (NJ)	Yes -- notice-based; NJ requires notification before commencing attest services	Consult board -- NJ has historically had firm-level conditions for attest; verify current status with NJ State Board of Accountancy	Yes	NJ's firm-level attest rules have been subject to legislative review. Verify directly before engagement execution.
Virginia (VA)	Yes -- no notice required	No	Yes	VA Board of Accountancy follows standard UAA mobility. No separate firm permit for attest.
Ohio (OH)	Yes -- no notice required	No	Yes	OH Accountancy Board adopted substantial equivalency. Standard mobility-friendly state.
Pennsylvania (PA)	Yes -- notice-based; PA requires a one-time notification for CPAs commencing practice in PA	No -- individual notice covers the engagement	Yes	PA State Board of Accountancy requires the individual CPA to file notice. No separate firm permit for attest.
North Carolina (NC)	Yes -- no notice required	No	Yes	NC State Board of CPA Examiners follows UAA mobility. No attest-specific firm permit for out-of-state firms.
Colorado (CO)	Yes -- no notice required	No	Yes	CO Board of Accountancy adopted individual mobility. Standard mobility-friendly posture.
Minnesota (MN)	Yes -- no notice required	No	Yes	MN Board of Accountancy follows UAA mobility. AICPA Program enrollment accepted for peer review.

Hawaii note. Hawaii is not in the primary table because its firm-permit requirement for out-of-state attest firms is comparable to California’s — if your company has Hawaii-based operations and you’re using an out-of-state auditor, confirm directly with the Hawaii Board of Public Accountancy whether an out-of-state firm registration is required before the attest report is issued.

General note on “consult board” entries. CPA mobility legislation has been active in 2024-2026 across several states. Rules that required notice in 2022 may have converted to no-notice by 2026, and vice versa in rare cases. The table above reflects best available information as of April 2026, but for any engagement involving a state in a legislative transition, direct confirmation with the state board takes precedence over any published table.

Frequently Asked Questions

Does the individual CPA’s home state matter if they meet substantial equivalency individually?

Under the 2025 NASBA individual-based model, a CPA who meets the UAA threshold (150 hours education, CPA exam, one year experience) has a portable credential. The home state’s listing status matters less than it did under the prior state-based model. Verify through CPAmobility.org whether the specific home-state / practice-state combination requires notice filing, then confirm the individual meets substantial equivalency requirements. See the NASBA Substantial Equivalency page for the authoritative framework.

Can a CPA from a state that hasn’t adopted UAA mobility still do SOC 2 work in my state?

Yes, but the path is different. A CPA whose home state is not mobility-compliant must either (a) obtain a license in your state through reciprocity or endorsement, or (b) ensure the engagement is managed by a CPA who does hold a qualifying license. This is uncommon for established SOC 2 firms — most are headquartered in states that adopted UAA mobility — but worth confirming if you’re working with a smaller regional firm. See the CPA Journal’s mobility overview for the pre-2025 framework context.

If my company has operations in multiple states, does my auditor need to be registered in all of them?

Typically no. The relevant jurisdiction for firm-permit purposes is generally where the attest report is issued and where the client’s operations are principally located — not every state where the company does business. California’s rule, for example, applies to firms issuing attest reports “for clients having their principal place of business in California.” If your SOC 2 system description covers infrastructure in multiple states but your HQ is in Texas, the Texas rules govern for most purposes. That said, if the audit scope explicitly references California-located systems and a California-based subsidiary, the CBA may take the position that the engagement involves a California client. Confirm with your auditor and, if needed, with the CBA directly.

Does SOC 2 work fall under PCAOB jurisdiction?

No. SOC 2 reports are issued under AICPA standards (SSAE 18, AT-C 205) and are not subject to PCAOB oversight. PCAOB jurisdiction applies to audits of public companies registered with the SEC. If your auditor also performs public-company audits, their PCAOB-registered work is inspected by PCAOB separately from their SOC 2 practice, which remains under AICPA peer review. For the full carve-out mechanics, see the peer review guide.

How do I find a pre-vetted auditor who has already confirmed cross-state authorization?

The SOC 2 auditor directory covers 126 firms. The best SOC 2 auditors shortlist applies quality filters including license status and peer review standing. Our methodology documents exactly what we check. If you want quotes from auditors who have been screened against these criteria, the auditor matching tool surfaces three matched firms with pricing.

Related articles: AICPA Membership Verification Guide • AICPA Peer Review Quality Guide • How to Choose a SOC 2 Auditor