When your CPA firm sends you a list of evidence requests, they are not working from their own checklist. They are working from a set of professional standards issued by the American Institute of Certified Public Accountants that govern how every SOC 2 examination must be conducted. Those standards are called the AT-C sections, and they sit inside a framework called SSAE No. 18.
Understanding these standards is not an academic exercise. They explain why your auditor asks for what they ask for, why certain evidence is accepted and other evidence is not, and what the auditor is legally required to conclude. If you have ever been confused by an evidence request or surprised by an audit finding, the answer is usually in AT-C 105 or AT-C 205.
What SSAE No. 18 Is
Statements on Standards for Attestation Engagements No. 18, commonly written as SSAE 18, is the current framework governing all attestation work performed by CPA firms in the United States. It replaced SSAE 16 in 2017 and reorganized the attestation standards into a cleaner, modular structure called the AT-C sections.
SSAE 18 introduced three types of attestation engagement: examination, review, and agreed-upon procedures. SOC 2 audits are examination engagements, which is the most rigorous of the three. In an examination, the practitioner must obtain sufficient appropriate evidence to provide a reasonable basis for the opinion, and the opinion provides positive assurance. This is a higher standard than a review, where the practitioner provides limited assurance based on inquiry and analytical procedures.
The practical effect is that your CPA firm cannot simply ask you whether your controls are working. They must obtain independent evidence that your controls are working. Their professional opinion is their own, grounded in their own evidence collection and testing, not a summary of what you told them.
AT-C Section 105: Concepts Common to All Attestation Engagements
AT-C 105 is the foundational section. It establishes the concepts and requirements that apply to all attestation engagements, including SOC 2 examinations. The most important concepts for service organizations to understand are subject matter, suitable criteria, and responsible party.
AT-C 105 — Key Concepts
Subject matter is what is being examined. In a SOC 2, it is the design and operating effectiveness of your controls over a defined period.
Suitable criteria are the standards against which the subject matter is measured. In SOC 2, these are the AICPA Trust Services Criteria (TSC), formerly the Trust Services Principles.
Responsible party is management of the service organization. Management asserts that its description of the system is fairly presented and that the controls are suitably designed and operating effectively. The practitioner tests those assertions.
AT-C 105 also establishes the independence requirements that apply to the CPA firm. The firm and the individual practitioners must be independent of the service organization in fact and in appearance. They cannot have a financial interest in the organization, cannot be employed by it, and cannot have performed work on the controls they are auditing. This is why readiness work and attestation work must be performed by different firms.
The Assertion Structure
Under AT-C 105, SOC 2 reports are assertion-based. That means management makes specific assertions that the practitioner then tests. In a SOC 2 Type 2 report, management asserts three things: that the system description is fairly presented, that the controls are suitably designed to achieve the relevant criteria, and that those controls operated effectively throughout the audit period.
This structure has a critical implication for you. The system description is your document. You write it, and you are responsible for its accuracy. If your system description says you conduct quarterly access reviews and you cannot produce evidence of those reviews, you have made an assertion you cannot support. The auditor will not simply note a missing control. They will note that management's assertion is not supported by evidence, which is a materially different finding.
AT-C Section 205: Examination Engagements
AT-C 205 is the section that specifically governs examination engagements, which is what a SOC 2 audit is. It sets out the detailed requirements for how auditors must plan, perform, and report on an examination. Reading AT-C 205 gives you a precise understanding of what your CPA firm is required to do.
Planning Requirements
AT-C 205 requires the practitioner to plan the engagement to reduce attestation risk to an acceptably low level. Attestation risk is the risk that the practitioner expresses an inappropriate opinion. It has two components: the risk of material misstatement in management's assertions, and detection risk, which is the risk that the auditor's procedures will fail to catch a misstatement that exists.
To manage attestation risk, your CPA firm will assess the nature and complexity of your system, the risk profile of your industry, and the quality of your internal controls before they design their testing procedures. Higher risk environments get more rigorous testing. If your company handles sensitive health data, processes financial transactions, or operates in a regulated industry, your auditor will calibrate their procedures accordingly.
Evidence Requirements
AT-C 205 requires the practitioner to obtain sufficient appropriate evidence on which to base the opinion. Both words matter. Sufficient means there must be enough evidence to support the conclusion. Appropriate means the evidence must be relevant and reliable.
Reliability is where GRC platform exports often fall short. AT-C 205 states that the reliability of evidence is influenced by its source and nature. Evidence obtained directly by the practitioner is more reliable than evidence provided by management. Evidence from external sources is more reliable than evidence from internal sources. Evidence in documentary form is more reliable than oral evidence.
A platform export is evidence generated by a system under management's control and provided to the auditor by management. It sits at the less reliable end of the reliability spectrum. That does not mean it is worthless, but it means the auditor must do additional work to corroborate it. If a platform export says a control is passing and the auditor cannot independently verify that through source logs, configurations, or direct observation, the evidence is insufficient for the purposes of AT-C 205.
Sampling Requirements
For SOC 2 Type 2, AT-C 205 requires the auditor to test controls over the entire audit period. They do this through sampling: selecting a representative set of transactions, events, or records and testing whether each control operated as described. The size of the sample depends on the auditor's assessment of risk and the frequency of the control.
A control that operates daily requires a larger sample than one that operates annually. A control in a high-risk area requires a larger sample than one in a low-risk area. For high-frequency controls like automated log monitoring, auditors typically test a sample of daily or weekly outputs. For lower-frequency controls like quarterly access reviews, they will often test all occurrences within the audit period, since there are only four.
What this means for your evidence collectionIf your audit window is twelve months, you need to be able to produce evidence for every control from month one through month twelve. A sample pulled in month eleven does not demonstrate operating effectiveness across the full period.
The Opinion
AT-C 205 prescribes how the practitioner's opinion must be expressed. In a SOC 2 Type 2 audit, the opinion covers three things: whether the system description is fairly presented, whether the controls are suitably designed, and whether those controls operated effectively throughout the period.
The opinion can be unqualified (clean), qualified (with exceptions noted), adverse (controls not suitably designed or not operating effectively), or disclaimed (if the auditor cannot obtain sufficient evidence). An adverse opinion or a qualified opinion with significant findings is a serious outcome. Customers and enterprise procurement teams read SOC 2 reports carefully. Findings that indicate controls were not operating effectively raise questions that can delay or kill deals.
How This Shapes Audit Preparation
Knowing the AT-C framework changes how you approach readiness. Most companies treat SOC 2 preparation as a documentation exercise: write the policies, configure the platform, collect the exports. AT-C 205 tells you it is an evidence examination: every assertion you make in your system description and control framework must be substantiated by independent, verifiable evidence that an auditor can examine and corroborate.
The practical checklist looks like this. Your system description must be accurate and current. Every control described must have a corresponding evidence trail. That evidence must span the full audit window. It must be sourced from systems and records that the auditor can trace back to their origin. Platform exports need to be supplemented with source records. And your management team must be able to explain and demonstrate your controls, not just point to a dashboard.
The AT-C standards also explain why a pre-audit dry run is valuable. When you simulate the auditor's evidence testing before the real engagement, you are applying AT-C 205's evidence sufficiency standard to your own artifacts. Any evidence that would fail that standard in a dry run will fail it in the actual audit. Better to find that out before the auditor does.
The AT-C framework has been in place since 2017, but its practical application has tightened significantly in the past two years. CPA firms are under greater scrutiny, peer reviews are more rigorous, and the AICPA has made clear that firms whose SOC 2 methodologies are not aligned with the attestation standards risk their standing. That accountability flows directly to the service organizations being audited. The standards are not new. The enforcement of them is.