Demonstrating a commitment to data security is no longer optional—it’s expected. If your organization handles sensitive data, provides IT services, or operates within regulated industries, you’ll need more than policies in place—you’ll need to prove those controls work. That’s where attestation services governed by the American Institute of Certified Public Accountants (AICPA) come in.
This blog explores the latest AICPA attestation services under SSAE No. 23, clarifies the differences between attestation and non-attestation services, and explains how SOC 2 Type 1 and Type 2 audits compare—shedding light on how these services help build lasting trust with clients, partners, and regulators.
What Are AICPA Attestation Services?
Attestation services are independent evaluations performed by CPAs to assess an organization’s internal control design and effectiveness. They provide a trusted, third-party opinion on whether those controls align with designated criteria, such as security or financial reporting.
These services are governed by the Statements on Standards for Attestation Engagements (SSAE)—the latest being SSAE No. 23, effective for engagements on or after December 15, 2025. This standard strengthens alignment with quality management practices and ensures greater audit consistency across industries.
A Breakdown of AICPA Attestation Reports
SOC 1 Reports
Focused on financial reporting controls that impact your clients’ financial statements. Common among payroll providers and SaaS accounting platforms.
- Type 1: Tests control design at a single point in time
- Type 2: Evaluates design and operating effectiveness over a defined period (typically 6–12 months)
2. SOC 2 Reports
Designed for service organizations that store, process, or transmit sensitive customer data—especially in cloud, SaaS, and managed IT environments. These audits evaluate controls across the Trust Services Criteria (TSC):
- Security (required)
- Availability, Processing Integrity, Confidentiality, and Privacy (optional and based on business needs)
- Type 1: Snapshot of control design at a specific point in time
- Type 2: Tests control effectiveness over a 3–12 month period
3. SOC 3 Reports
Public-facing versions of SOC 2 reports. These omit technical details and are ideal for marketing or general stakeholder assurance on websites or investor decks.
4. SOC for Cybersecurity
Evaluates the effectiveness of an organization’s enterprise-wide cybersecurity risk management program. Best suited for executive stakeholders, boards, or insurers seeking broad assurance.
5. SOC for Supply Chain
Introduced in 2020, this report evaluates supply chain risk management controls, particularly around production, logistics, and distribution systems. It’s valuable for organizations with complex vendor networks or operational dependencies.
Implementing the right attestation services communicates a clear message: your organization takes risk seriously and has the controls to prove it.
Do Non-Attestation Services Apply to Your Organization?
Not all assurance-related services fall under the umbrella of attestation. Non-attestation services do not include a CPA’s opinion and are not governed by SSAE standards.
These may include:
- Preparing financial statements or tax filings
- Performing cash-to-accrual conversions
- Assisting with ERP implementations
- Offering accounting and reconciliation support
Although valuable, these services do not assess control effectiveness or provide formal assurance. If your CPA firm offers both attestation and non-attestation services, it’s critical to establish clear engagement boundaries to preserve auditor independence and minimize risk.
Working with an experienced SOC 2 compliance partner ensures all services are appropriately scoped and executed in accordance with AICPA guidance.
SOC 2 Type 1 vs. Type 2: Which Is Right for You?
If your organization handles confidential client information or provides technology services, SOC 2 compliance is often the benchmark standard.
Here’s how the two audit types differ:
| SOC 2 Type 1 | SOC 2 Type 2 |
| Assesses design of controls | Assesses design and operational effectiveness |
| Fixed point in time | Continuous evaluation over a 3–12 month period |
| Often used for initial audits | Preferred by clients for ongoing assurance |
| Faster to complete | Requires sustained control performance |
Security is a mandatory Trust Services Criterion for both types. Depending on your risk profile or service offering, you may also select Availability, Confidentiality, Processing Integrity, or Privacy for inclusion.
Stakeholders—including clients, investors, and regulators—often prefer SOC 2 Type 2 because it shows how well your controls perform over time. Many organizations start with Type 1 and advance to Type 2 as they mature their control environment.
Prepare for SOC 2 Audits with Confidence
Achieving SOC 2 compliance requires more than documentation. It requires the ability to operationalize controls, demonstrate evidence of compliance, and pass formal testing.
RSI Security’s advisory services include:
- SOC 2 readiness assessments
- Gap analysis against your selected Trust Services Criteria
- Control documentation, testing, and remediation support
- Liaison support with your audit firm during formal engagement
- Ongoing guidance to maintain compliance after your audit is complete
Whether you’re pursuing Type 1 for the first time or preparing for a Type 2 reassessment, we’ll help you build a scalable, auditable program from day one. Let RSI Security guide your journey from readiness to report.
Download Our SOC 2 Checklist
