Glossary · Compliance concepts
What is Attestation?
Also known as: SOC 2 attestation, CPA attestation report
An attestation is a CPA firm's formal opinion on whether an organization's controls are designed and operating as described, most commonly delivered as a SOC 2 report. It differs from certification, where an accredited body certifies conformance to a standard like ISO 27001. An attestation is an auditor's opinion, not a pass-or-fail certificate.
Key takeaways
- An attestation is an independent CPA firm's opinion on an organization's controls.
- SOC 2 is the most common attestation in the technology industry.
- It contrasts with certification, where an accredited body certifies an ISMS against ISO 27001.
- SOC 2 comes in Type I (design at a point in time) and Type II (operating effectiveness over a period).
- The deliverable is a report containing an opinion, not a certificate.
What an attestation is
An attestation is a formal opinion issued by a licensed CPA firm about whether an organization's controls are suitably designed and, depending on the report type, operating effectively. The best-known example is SOC 2, an attestation report covering the Trust Services Criteria.
The defining feature is that an independent auditor expresses a professional opinion. The deliverable is a report, often lengthy, describing the system, the controls, the tests performed, and the auditor's conclusion. There is no pass-or-fail badge; readers interpret the opinion and any noted exceptions themselves.
Customers and partners typically request an attestation report to gain assurance about a vendor's controls before trusting it with their data.
Attestation versus certification
The key distinction is who issues the result and in what form. An attestation comes from a CPA firm as an opinion, while a certification, such as ISO 27001, comes from an accredited certification body that certifies an organization's ISMS conforms to the standard.
- Attestation: CPA firm, opinion report, common example SOC 2
- Certification: accredited body, certificate, common example ISO 27001
- Attestation deliverable is a detailed report; certification deliverable is a certificate plus surveillance
Both provide third-party assurance, but they are not interchangeable. Some customers specifically request one or the other, and many organizations pursue both to satisfy different audiences.
SOC 2 Type I versus Type II
Within SOC 2 attestation there are two report types. A Type I report opines on whether controls are suitably designed at a single point in time. A Type II report goes further, opining on whether those controls operated effectively over a period, which requires evidence collection across the entire window.
Type II is generally the more demanding and more valued report because it tests sustained operation, not just design. Maintaining the evidence needed across the period is where continuous control monitoring and automated evidence collection make the biggest difference.
An attestation report may include exceptions, which are instances where a control did not operate as intended. The presence of exceptions does not automatically invalidate the report; it informs the reader's judgment.
Frequently asked questions
- What is the difference between attestation and certification?
- An attestation is a CPA firm's opinion on your controls, delivered as a report, such as SOC 2. A certification is an accredited body's confirmation that your management system conforms to a standard, such as ISO 27001, delivered as a certificate.
- Is SOC 2 a certification?
- No. SOC 2 is an attestation. A CPA firm issues an opinion report on your controls rather than a certificate, which is why you receive a SOC 2 report rather than a SOC 2 certificate.
- What is the difference between SOC 2 Type I and Type II?
- Type I assesses whether controls are suitably designed at a point in time, while Type II assesses whether they operated effectively over a period, typically several months, making Type II the more rigorous report.
- Can a report include exceptions and still be useful?
- Yes. An attestation report may note exceptions where a control did not operate as intended. The report remains useful because readers weigh the exceptions against the overall opinion.