vCISO vs Readiness Firm vs Auditor: Who Does What?

A vCISO or consultant builds and operates the security program. A readiness firm prepares and tests readiness before fieldwork. An independent licensed CPA auditor examines and attests. Management owns the controls throughout, and only the CPA firm can issue the SOC 2 report.

The boundary exists for a reason. An auditor cannot objectively evaluate controls after taking management’s role in designing, approving, or operating them. AICPA independence is therefore the spine of the buying decision: preparation can be hands-on, but the final examination must remain independent.

What is the difference between a vCISO, readiness firm, and auditor?

A vCISO leads and helps build the security program. A readiness firm checks the program against SOC 2 criteria and prepares remediation and evidence. An independent licensed CPA firm examines the controls and issues the SOC 2 report.

RolePrimary jobTypical deliverableCan issue the SOC 2 report?Independence boundary
vCISO or consultantBuild and operate the programSecurity roadmap, policies, risk decisions, control ownershipNoWorks for management and may help operate controls
Readiness firmPrepare the company for examinationGap assessment, remediation plan, evidence mapNoAdvises and prepares; does not provide the attest opinion
Independent CPA auditorExamine controls and evidenceSOC 2 Type 1 or Type 2 reportYesMust remain objective and avoid management responsibility

Start with the work your team cannot perform internally. Use the vCISO firms directory when security lacks an accountable leader, the SOC 2 readiness firms directory when the program needs a defined pre-audit project, and the best SOC 2 auditors guide when controls are ready for an independent examination.

Three roles deliver a SOC 2, but only the independent CPA auditor can issue the report A vCISO builds and operates the security program; a readiness firm prepares and tests the evidence; the independent CPA auditor examines the controls and signs the report. AICPA independence bars the first two from attesting, so only the licensed CPA firm issues the SOC 2 report. Three roles, one SOC 2: who does what vCISO builds & operates Designs the roadmap, policies, and controls; runs the program. Issues SOC 2 report: No Readiness firm prepares & tests Runs the gap assessment and gets evidence audit-ready. Issues SOC 2 report: No Independent CPA auditor examines & attests Independently tests controls and signs the opinion. Issues SOC 2 report: Yes AICPA independence bars the first two roles from attesting. Only the licensed CPA firm can issue the report.
Three roles deliver a SOC 2, but only the independent CPA auditor can issue the report.The vCISO builds and runs the program; the readiness firm prepares and tests the evidence; the independent CPA auditor examines and attests. AICPA independence keeps these separate.

What does a vCISO do before a SOC 2 audit?

A vCISO turns business requirements into a security program, assigns control owners, guides risk decisions, and maintains the operating cadence. The vCISO can prepare the company for examination but cannot provide the independent CPA opinion.

A vCISO is an outsourced security leader, not simply a checklist reviewer. The engagement may cover risk governance, policy approval, incident exercises, vendor reviews, customer questionnaires, security metrics, and executive reporting. During SOC 2 preparation, that person helps management decide how controls should work and who owns them.

This role fits when nobody inside the company can keep the program operating after an initial readiness sprint. Compare providers through the vCISO services hub and use the vCISO cost guide to distinguish an ongoing retainer from a fixed project. The vCISO should coordinate with the auditor, but should never present advisory work as an independent examination.

What does a SOC 2 readiness firm do?

A readiness firm runs a focused pre-audit assessment, maps existing practices to the Trust Services Criteria, identifies gaps, and helps organize remediation and evidence. Its deliverable prepares management for the audit; it is not the SOC 2 report.

Readiness is usually narrower than outsourced security leadership. The firm scopes the likely examination, interviews control owners, reviews policies and configurations, identifies missing evidence, and produces a prioritized plan. Some engagements add templates, implementation support, or retesting after remediation.

Use the readiness firms hub when the organization already has a security owner but needs an experienced team to find gaps before the CPA does. The readiness assessment cost guide covers the assessment itself, while the SOC 2 consultant cost guide explains broader build and remediation scopes.

What does the independent SOC 2 auditor do?

The auditor defines the engagement, evaluates management’s description and controls, tests evidence, documents exceptions, and issues the CPA opinion. The auditor does not own the controls, make management decisions, or guarantee a clean result before completing the examination.

For a Type 1 report, the firm evaluates control design and implementation at a point in time. For a Type 2 report, it also tests operating effectiveness across the stated period. In both cases, management supplies the system description, assertion, controls, and evidence. The auditor evaluates them against the applicable Trust Services Criteria.

When the program is ready, compare licensed firms in the SOC 2 auditor directory, review the auditor selection rubric, and budget with the SOC 2 audit cost guide. A readiness provider’s recommendation can be useful, but management should still know which CPA firm is signing the report and verify its standing.

Why must the SOC 2 auditor stay independent?

The auditor must evaluate management’s controls objectively. AICPA independence rules prevent the attest firm from assuming management responsibility or auditing work it effectively performed for the company. Management must own decisions, controls, evidence, and remediation.

Independence does not prohibit every conversation before fieldwork. An auditor can explain criteria, request evidence, and discuss findings without becoming management. The line is crossed when the firm chooses controls for the company, approves policies, operates the program, or makes the decisions it later evaluates.

The cleanest structure assigns preparation to internal staff, a vCISO, or a readiness consultant and reserves the opinion for an independent CPA firm. If one organization proposes both readiness and attestation, ask for the contracting entities, engagement teams, permitted services, management-responsibility safeguards, and written independence analysis. Convenience does not erase the boundary.

Do you need all three providers for SOC 2?

Not always. A company with capable internal security leadership may skip the vCISO, and a mature team may run readiness internally. The independent licensed CPA auditor is the non-negotiable provider because only that firm can issue the report.

Internal conditionSensible buying path
No security owner and controls are immaturevCISO or consultant, then readiness, then auditor
Security owner exists but SOC 2 experience is limitedReadiness firm, then auditor
Controls and evidence are matureAuditor, with targeted readiness help only if gaps appear
Ongoing customer reviews need executive ownershipvCISO plus independent auditor

Buy the missing capability, not every label. Before signing, write one sentence for who designs controls, who operates them, who checks readiness, and who signs the report. If the same person appears in incompatible roles, restructure the engagement before fieldwork begins.