AICPA guides peer reviewers to address SOC 2 risks

AICPA system and organization controls (SOC) reporting has become a cornerstone of trust in today’s technology-driven market, with SOC 2 reports playing a critical role in third-party risk management. As demand for SOC 2 services continues to expand, the profession is experiencing heightened responsibilities and the need for increased attention to new emerging risks, particularly as SOC tools and platforms become more prevalent across the market.

“SOC services continue to grow, and with that growth comes complexity,” said Carl Mayes, CPA, vice president–Ethics and Firm Quality at the AICPA. “Some firms are leaning too heavily on third-party SOC platforms without applying the professional judgment required by our standards. Regardless of the tools used, CPAs must remain competent, objective, independent, and committed to engagements that reflect the unique risks and circumstances of each client.

A heightened focus on SOC 2 quality

The AICPA’s Peer Review Board (PRB), along with the Peer Review team, has been closely monitoring firms performing SOC 2 engagements, including high-volume providers using third-party platforms, and considering the associated risks that need to be addressed. (See “SOC Engagements: Ethics Risks With Tool Providers,” JofA, April 6, 2026.)

One specific risk is that a firm’s SOC 2 engagements are not designed to respond to the unique risks associated with the service organization, resulting in engagements that have identical reports, risk assessments, sample sizes, and testing procedures. In such circumstances, these engagements are not performed in accordance with the relevant professional standards in all material respects. In peer review, this is known as a “nonconforming” engagement.

The PRB determined that action was necessary, given recent feedback. (Listen to the podcast episode “The Risks of Quick-Turn SOC Engagements and What CPAs Should Know,” JofA, April 30, 2026.)

As a start, a new reviewer alert article has been issued to let peer reviewers know how to address these situations. This communication, included as part of the May 2026 reviewer alert:

• Raises awareness of the risks currently observed in SOC 2 engagements.
• Emphasizes that reviewing a single SOC 2 engagement file is often insufficient to address these specific risks, including the risk that there are issues with the firm’s system of quality management.
• Guides reviewers to obtain a deeper understanding of:
  • The firm’s use of technology, including external SOC platforms or vendor relationships.
  • The reasonableness of SOC 2 engagement timelines.
  • Whether engagements are tailored to each client’s specific risks and environment.

Responding when elevated risks are identified

When a peer reviewer obtains this deeper understanding and concludes that engagement timelines appear unreasonable or that other risk indicators are present, the team captain will likely determine that an elevated risk exists. In those cases, the review team will have to develop an appropriate response, which may include:

• Selecting several SOC 2 engagements — often about five — from different partners.
• Comparing reports to one another and to prior-year reports.
• Reviewing targeted areas requiring engagement-specific judgment.
• Determining whether identical risk assessments, control designs, sample sizes, or testing procedures appear across engagements.

Should these procedures show that a firm is not appropriately performing its engagements, potentially relying too heavily on compliance tools, and not complying with relevant professional standards in all material respects, the reviewer will likely conclude these engagements are “nonconforming.”

Such a conclusion would increase the likelihood that a firm might have a deficiency or significant deficiency in its peer review report. This also increases the likelihood that the firm would be required to complete some follow-up action to complete its peer review.

Follow-up actions could include revisions to the firm’s system of quality management or reviews of completed engagements performed by an outside party.

A new monitoring and outreach process

The AICPA is working on implementing a more structured monitoring and outreach process for peer reviews involving firms with SOC 2 practices. This would be designed to support reviewers and ensure consistency across the program.

Beginning June 1, staff intends to:

• Identify scheduled peer reviews of firms that perform SOC 2 engagements.
• Conduct direct outreach to team captains early in the process.
• Provide resource materials, including the JofA article “Promises of ‘Fast and Easy’ Threaten SOC Credibility,” JofA, Feb. 1, 2026; the reviewer alert; and additional guidance.
• Offer support on engagement selection, potential “no” answers, and conclusions of whether an engagement is nonconforming.

Enhanced oversights

Finally, peer reviews of firms with SOC 2 practices will also continue to receive heightened scrutiny through the PRB’s enhanced oversight program.

In an enhanced oversight, a subject matter expert reviews the work performed by a peer reviewer to assess the appropriateness of the peer reviewer’s conclusion on a specific engagement. This program has proved effective in improving both firm performance and peer reviewer performance since its inception in the mid-2010s.

Professional standards, ethical requirements, and peer review oversight continue to serve as the foundation for quality SOC engagements. The PRB and Peer Review team are committed to doing their part to promote quality across the profession and serve the public interest.

“Our goal is simple,” Mayes said. “Ensure that SOC 2 engagements reflect the professional judgment, rigor, and client-specific tailoring that the public expects from CPAs. Peer review is one of the most powerful tools we have to reinforce those expectations and strengthen quality across the profession.”

— Tim Kindem, CPA, is technical director–Peer Review at the AICPA. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.