The Gap in AICPA Peer Review for New CPA Firms

The American Institute of Certified Public Accountants (AICPA) runs a peer review program that CPA firms must enroll in to perform certain attest services. A newly formed CPA firm can enroll in the AICPA peer review system and, for a period of time, appear compliant to the market without yet having a completed peer review on record. Under AICPA guidance, a firm’s initial peer review is ordinarily due 18 months from the date it enrolled, or from when it should have enrolled, whichever is earlier. 

That timing rule has a sensible purpose. A peer review cannot happen until a firm has actually performed work that falls within the program. But the same rule creates an obvious weakness: during that initial period, enrollment can look like proof of quality when it is only proof that the firm is in the program. 

In the SOC 2 market, enrollment is treated as a quality signal

This matters in the SOC 2 market because SOC 2 reports are attest engagements. Delaware, for example, requires CPA firm permit holders that provide attest or compilation services to be enrolled in a board-approved peer review program. The state also requires firms to comply with that program’s standards and submit proof of enrollment. 

So yes, a firm can be enrolled and still have no completed peer review result yet. That is the gap.

Enrolled means the clock has started, not that the firm has been tested 

The point should be stated carefully. Enrollment is not fake. It is a real status. A newly enrolled firm may be allowed to perform in-scope work while still within the period before its first review is due, assuming it also meets the applicable licensing and permit requirements. At the same time, the public meaning of that status is easy to overread. “Enrolled” does not mean the firm has already been tested and passed. It may simply mean the clock has started. 

That is where the structural weakness appears.

A new entity can market the appearance of compliance before any review occurs

The peer review framework is organized around the firm. In practice, that means a newly created entity can present itself to customers as an enrolled CPA firm even though no peer review outcome yet exists for that entity. If the people behind the firm are serious professionals, that gap may not matter much. If they are not, the gap becomes useful. It gives them a period in which they can market the appearance of compliance before a peer review has had any chance to test the quality of their work. This inference follows directly from how the enrollment and review-timing rules operate. 

The AICPA itself has signaled that this area deserves scrutiny. In a recent notice about allegations involving a compliance vendor offering SOC services, it said that if auditors involved are found not to have performed work in accordance with professional standards, not to have been enrolled in peer review, or to have been unlicensed, it will take action with respect to its members. That statement is important because it shows the AICPA views peer review enrollment and licensing as threshold matters in this market. 

The problem is structural, not universal

Still, the concern here is not only about firms that are outside the rules. It is also about firms that sit inside the rules, at least formally, while still benefiting from a period before any review result exists.

That is why the issue is best described as a gap in the structure, not as a claim that every newly enrolled firm is suspect. Most are not. The problem is narrower and more serious than that: the framework allows a new firm to carry the label of peer review enrollment before the market has any actual peer review outcome to examine. Where the same principals can move from one entity to another, that gap can become a practical workaround.

Buyers are making diligence decisions on an administrative status

The result is predictable. Buyers, startups, and GRC teams may treat enrollment as a quality signal when it is often only an administrative status. That can distort diligence. It can also make it easier for low-quality firms to compete on speed and volume before their work has faced external review.

A better public understanding would start with one simple distinction:

Enrolled does not mean reviewed.

That distinction is easy to miss, and the market often misses it.

If there is a reform question here, it is not whether new firms should be allowed time before their first peer review. They should. The real question is whether the current framework does enough to distinguish between a firm that is merely inside the system and a firm whose work has actually been tested.

Right now, that distinction exists in the rules, but not always in how the status is perceived.