CPAs and CISAs: Choosing the Right SOC 2 Auditor

In today’s ever-evolving digital landscape, our central concern revolves around safeguarding data security and privacy. As businesses increasingly depend on cloud services and third-party vendors to manage their data, it becomes crucial to ensure these service providers adhere to stringent security standards. 

A prominent standard in this domain is the Service Organization Control 2, or SOC 2, a framework developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 evaluates and reports on the controls at service organizations that directly impact customer data.

In this discussion, we delve into SOC 2 assessors and the essential factors to consider when selecting one.

Understanding the Expectations of SOC 2

The SOC 2 Trust Services Criteria are a set of standards developed by the AICPA to assess the controls of a service organization concerning security, availability, processing integrity, confidentiality, and privacy. 

• Security: The most common criterion, encompassing all SOC 2 audits, pertains to protecting system resources from unauthorized access. Access controls are established to thwart potential system abuse, unauthorized data removal, and software misuse.
• Availability: This criterion ensures the accessibility of the system, products, or services stipulated by a contract or service level agreement (SLA). It encompasses network performance, system availability, and disaster recovery plans.
• Processing Integrity: Focused on delivering accurate data at the right time, this criterion ensures the system effectively serves its purpose. Data processing must be complete, valid, accurate, timely, and authorized.
• Confidentiality: This criterion restricts data and information access to a specified set of individuals or organizations. Measures like data encryption, firewalls, and private networks are employed to achieve this.
• Privacy: Addressing the collection, use, retention, disclosure, and disposal of personal information in line with an organization’s privacy notice and AICPA’s generally accepted privacy principles (GAPP).

Understanding the SOC 2 Audit Process

SOC 2 audits are typically conducted by Certified Public Accountants (CPAs) under the guidance of the AICPA. Not all CPAs are qualified to perform SOC 2 audits, as specific training and experience in information security and the SOC 2 auditing process are required.

Moreover, SOC 2 auditors often hold the Certified Information Systems Auditor (CISA) certification—a globally recognized credential for IS audit control, assurance, and security professionals.

The SOC 2 audit encompasses the following steps:

• Understanding the Service Organization: The auditor begins by comprehending the service organization, its system, and its services. This involves gaining insights into the organization’s infrastructure, software, personnel, procedures, and data.
• Identifying the Trust Services Criteria: The auditor identifies the relevant TSC to be included in the audit, as defined by a core set of principles and criteria addressing IT-enabled systems and privacy risks and opportunities. The five TSCs are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
• Risk Assessment: The auditor performs a risk assessment to identify potential risks that could hinder the fulfillment of the TSC.
• Controls Testing: The auditor tests the design and effectiveness of controls to mitigate identified risks.
• Reporting: The auditor prepares a comprehensive SOC 2 report, containing a detailed system description, the auditor’s opinion on the system’s fairness, the adequacy of control design, and, in Type 2 reports, the operating effectiveness of controls.
• Management Assertion: The service organization’s management provides a written assertion to the auditor, confirming the fair presentation of the system’s description, suitability of control design, and, in Type 2 reports, the effectiveness of controls during the reporting period.

CPA and CISA Requirements for SOC 2 Audits:

While both the CPA and CISA are professional certifications, they cater to different domains and necessitate distinct skill sets:

• Certified Public Accountants: CPAs are professionals who have passed the Uniform CPA Examination and fulfilled specific education and experience requirements in accounting. Their expertise lies in areas like tax, audit, financial reporting, and consulting. Additionally, in the case of SOC 2 audits, special training is offered through the AICPA.
• Certified Information Systems Auditor: CISA certification is tailored for professionals who audit, control, monitor, and assess an organization’s information technology and business systems. The CISA certification highlights proficiency in managing vulnerabilities, implementing controls, and ensuring compliance within the enterprise’s IT infrastructure.

While it is common for SOC 2 auditors to possess both CPA and CISA certifications, it is not an absolute requirement. 

Choosing an Appropriate SOC 2 Evaluator

Selecting a qualified, experienced SOC 2 evaluator involves carefully considering several essential factors. Here are key aspects to bear in mind:

• Qualifications and Certifications: Ensure the auditor holds a CPA credential from a licensed CPA firm. Additional certifications like CISA or Certified Information Systems Security Professional (CISSP) are advantageous, showcasing a profound understanding of IT controls and security.
• Experience with SOC 2 Audits: The evaluator should have extensive experience conducting SOC 2 audits, preferably within your industry. This familiarity enables them to comprehend your organization’s unique requirements and challenges.
• Understanding of Your Business and Industry: The auditor should demonstrate a thorough grasp of your business operations, industry, and regulatory landscape. This facilitates the identification of relevant risks and controls during the audit.
• Communication Quality: An effective auditor communicates clearly and understandably and explains intricate concepts. Their responsiveness and availability to address queries during the audit process are also crucial.
• Reputation and References: Investigate the auditor’s reputation within the industry. Request references from past clients to gain insights into their experiences working with the auditor.
• Audit Approach: Understand the evaluator’s approach to the audit process. A competent auditor will identify issues and provide valuable recommendations for enhancing controls and procedures.
• Cost: Although cost should not be the sole determining factor, it is essential to grasp the auditor’s fee structure and ensure it aligns with your budget.

Remember, the ultimate objective of a SOC 2 audit extends beyond mere compliance to include the improvement of your organization’s controls and processes. Consequently, selecting an evaluator who can offer valuable insights and recommendations proves vital, transforming the audit into more than a mere compliance check.

Work with a CPA and CISAs from Lazarus Alliance

When it comes to SOC 2 audits, work with a firm that has both CPA and CISA certifications. Our training, experience, and background make us the best choice to ensure that you’re getting the best partner and auditor you can for your ongoing compliance requirements. 

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→