AICPA

The AICPA, or American Institute of Certified Public Accountants, is the professional organization that establishes auditing and attestation standards in the United States, including the SOC suite of reports. The AICPA publishes the Trust Services Criteria that form the basis of SOC 2 audits and the broader attestation standards (AT-C 105 and AT-C 205) under which SOC 2 engagements are performed. Because the AICPA defines what qualifies as a SOC 2 audit, only licensed CPAs can perform these engagements and issue the resulting attestation reports. The AICPA periodically updates the Trust Services Criteria, and service organizations and their auditors must stay current with the latest version applicable to their report period. The AICPA also publishes other reports relevant to compliance programs, including SOC 1 (for financial reporting controls), SOC 3 (a general-use summary of SOC 2), and SOC for Cybersecurity. Understanding the AICPA's role clarifies why SOC 2 differs from prescriptive standards like ISO 27001 that are governed by different bodies.