SOC 2 attestation vs certification and why the distinction matters legally

You don’t get SOC 2 certified. Nobody does. There is no such thing as SOC 2 certification, and every time a SaaS company puts “SOC 2 Certified” on their trust page, they’re telling the world they don’t understand the very compliance framework they’re claiming to follow.

This isn’t pedantry. The distinction between attestation and certification carries real legal weight, and the people evaluating your security posture know exactly what these words mean.

Why the language matters legally

Certification and attestation are different legal instruments with different liability structures.

When you get ISO 27001 certified, an accredited certification body examines your information security management system and issues an actual certificate. That certificate states you meet the requirements of an international standard. There are currently 38 ANAB-accredited certification bodies that can issue ISO 27001 certificates, and each one is accountable to the accreditation process.

SOC 2 works nothing like this. A licensed CPA firm examines your controls against the AICPA’s Trust Services Criteria and then issues a report containing their professional opinion. That’s it. No certificate. No pass/fail badge. An opinion from an auditor about whether your description of controls is fairly stated.

The opinion itself comes in four possible types: unqualified (clean, no issues found), qualified (mostly fine but with specific exceptions), adverse (material problems), or disclaimer (couldn’t get enough evidence to form an opinion). A company can receive a SOC 2 report with a qualified opinion and still technically “have” a SOC 2. That alone should tell you this isn’t certification.

When you write “SOC 2 certified” in a contract, a sales deck, or on your website, you’re making a factual claim that isn’t true. If a prospect relies on that claim when making a purchasing decision and something goes wrong later, the misrepresentation becomes relevant. Maybe not in every situation. But it’s an unnecessary and avoidable risk.

What attestation actually means under AICPA standards

The AICPA’s attestation standards, specifically AT-C Section 205, define what a SOC 2 examination actually is. It’s an examination engagement where a CPA firm evaluates management’s assertion about the design and operating effectiveness of controls.

Here’s how it works in practice. Your company writes a system description and asserts that your controls meet the Trust Services Criteria. The CPA firm then independently tests those controls and forms an opinion about whether they agree with your assertion. The resulting report is their professional opinion, not a stamp of approval.

This structure means something specific. Only a licensed CPA or CPA firm can perform a SOC 2 examination. Not a consulting firm. Not a security company. Not a compliance platform. The CPA firm stakes their professional license on the opinion they issue, and they face liability exposure if they’re negligent in forming that opinion. This is why the word “attestation” matters. It carries professional accountability that “certification” from an unregulated body simply doesn’t.

It’s also worth noting that SOC 2 reports are typically confidential. You don’t display them publicly. You share them under NDA with prospects and customers who request them. Compare that to ISO 27001, where you can publicly reference your certification and the certificate itself is a matter of record. The whole distribution model is different.

At Tallyfy, we went through this process ourselves. The lesson was clear: the CPA firm’s opinion is what has legal standing. Everything else, the compliance platform, the evidence collection, the control documentation, exists to support that moment when the auditor forms their opinion. We’ve written about how we replaced our compliance platform with AI and Google Drive for the evidence management side, but the attestation itself still requires a licensed CPA firm. Always will.

How this affects your sales conversations

Here’s where this gets practical. Your sales team is probably saying “SOC 2 certified” on calls. Your marketing team probably has a badge on the website that says “SOC 2 Certified” with a little shield icon. And every security-aware prospect who sees it makes a mental note that you don’t know what you’re talking about.

Enterprise security teams, especially at companies large enough to have a dedicated security review process, understand these distinctions perfectly. When they see “SOC 2 certified” on your trust page, it signals one of two things: either you don’t understand the compliance framework, or you’re deliberately being imprecise. Neither builds confidence.

The correct language is straightforward. You can say:

• “We have completed a SOC 2 Type II examination”
• “We have received an unqualified SOC 2 Type II attestation report”
• “Our SOC 2 Type II report is available under NDA”
• “We undergo annual SOC 2 Type II examinations”

You should not say:

• “We are SOC 2 certified”
• “We have SOC 2 certification”
• “Our SOC 2 certification proves…”

The difference is small in words but large in meaning. If you need a primer on what SOC 2 actually involves, start there. An attestation report documents a CPA firm’s opinion about your controls at a specific point in time or over a defined period. A certification would imply a governing body has granted you status you can maintain. SOC 2 has no governing body that grants anything. The AICPA defines the criteria and the examination standards. Your CPA firm performs the examination. The report reflects their findings. Nobody certifies you.

The practical difference for your company

Key differences between attestation and certification frameworks

Beyond language, this distinction affects how you should think about SOC 2 internally.

Because SOC 2 is an opinion rather than a certification, the quality of your CPA firm matters enormously. Two different firms examining the same controls can produce different reports. One firm might flag something as an exception where another considers it immaterial. The professional judgment of the auditor is the mechanism, not a standardized checklist with a pass/fail binary.

This also means SOC 2 reports aren’t directly comparable across companies. The scope can differ. The Trust Services Criteria selected can differ. The testing depth can differ. Sophisticated buyers understand this, which is why they actually read the report rather than just confirming it exists.

SOC 2 reports are also only considered current for about 12 months. Understanding what a report should contain helps here. There’s no formal expiration, but the industry standard is that a report older than a year is stale. Compare that to ISO 27001 certification, which is valid for three years with annual surveillance audits.

If you’re going through SOC 2 for the first time, or if you’ve been calling it a certification until now, fix the language everywhere. Website, sales decks, contracts, RFP responses. It takes an hour to find and replace, and it immediately signals to anyone reviewing your security posture that you actually understand what you’ve been through.

The words matter. Use the right ones.