Skip to main content
Audit Logic Transparent Attestation Software

AttestIQA is the CaseWare® of SOC 2
The CPA Professional Standard of SOC 2

98% of solo CPA firms don’t offer SOC 2. You can be the 2%. AttestIQA gives independent CPAs a structured, peer-review-ready workpaper platform to conduct SOC 2 Type II attestations: no IT expertise, no subcontractor, no Big 4 infrastructure required. One engagement pays $12K–$18K and renews every year. Health-tech companies: demand your CPA use independent, AICPA-compliant tools.

Transparency.  Visibility.  Integrity.

Launch AttestIQA Free →
I’m a CPA issuing SOC 2 opinions I’m a health-tech company that needs SOC 2
10,000+ health-tech companies
need SOC 2
$12K–$18K per engagement
(CPA billing)
98% of solo CPAs don’t
offer SOC 2 yet
$10,000 IT consultant cost
per engagement
An Independent Attestation Platform.
Purpose-Built for Independent CPA Firms.

AttestIQA is an independent attestation platform built in direct response to the AICPA’s April 6, 2026 Ethics Staff Insights requirement for audit logic transparency. Not venture-funded. Not enterprise scale. Built to give solo and small CPA firms the same workpaper infrastructure as the Big 4: without the overhead.

Protecting the People We Serve: the Patient.

98% of solo CPA firms don’t offer SOC 2 yet: the market is wide open
$12K–$18K per engagement, with annual renewal from every client
62 Controls complete TSC coverage for Security + Confidentiality + Privacy, AT-C 205 compliant

“The AICPA’s Ethics Staff Insights (April 6, 2026) cautioned CPAs against relying on compliance automation platforms that don’t expose their underlying test logic. AttestIQA was built specifically for that requirement: every automated test publishes its exact CLI command in the workpaper.”

AICPA Ethics Staff Insights, April 6, 2026  ·  ET §1.200.001  ·  SSAE 21 / AT-C 205

Built in direct response to a documented AICPA requirement.

Audit Logic Transparent
Attestation Software
The AI Disruption Opportunity

AI Is Replacing Bookkeeping and Tax Prep.
It Cannot Replace a Licensed CPA’s Attestation Opinion.

AI platforms are automating bookkeeping, payroll, and routine tax preparation. Solo and small CPA firms are losing services that can be reduced to pattern recognition and data entry.

SOC 2 Type II attestation is structurally different. AT-C 205 requires a licensed CPA to issue the professional opinion. No AI can sign the report, provide the independence AICPA standards require, or carry the legal liability a client’s board expects.

The same independence standard that shields attestation from AI disruption is the standard AttestIQA was built to satisfy.

98% of solo CPA firms do not offer SOC 2 yet. The CPAs who add attestation services now will own this market. AttestIQA makes it accessible without IT expertise, without Big 4 infrastructure, and without an IT subcontractor.
What is AttestIQA?

Attestation Software.
Not Compliance Automation.

Vanta and Drata serve the company being audited. AttestIQA serves the CPA issuing the opinion. Different buyers, different markets, different regulatory obligations.

“Like CaseWare structures your financial audit workpapers, AttestIQA structures your SOC 2 attestation workpapers, purpose-built for the CPA issuing the opinion, not the company being audited.”
Standalone Browser-based No cloud sync AES-256-GCM encrypted No server Offline capable
# AttestIQA: Audit Logic for C-10 CloudTrail aws cloudtrail lookup-events \ --lookup-attributes \ AttributeKey=EventName,\ AttributeValue=DeleteTrail \ --start-time 2026-01-01 \ --end-time 2026-06-30 \ --output json | jq '.Events | length' # Expected: 0 (no unauthorized deletions)
Audit Logic Transparency

No IT Expert Required. AttestIQA Runs Every AWS Test for You.

CPAs don’t become AWS experts to use AttestIQA. The built-in master evidence script runs all AWS tests under AuditorReadOnly credentials with a single command. Every control records the exact CLI command used, peer-review-ready by default. No IT subcontractor. No $3,000–$8,000 cost per engagement. You own the evidence from the moment it is collected.

Peer Review Protection

Peer Review Passes by Default. Risk Protection Built In.

The most common SOC 2 peer review finding is undocumented professional judgment. AttestIQA eliminates this exposure. Before stamping each control, you attest you reviewed the raw log payload. The 24-item SQMS 1 quality checklist runs before every opinion. Your peer reviewer sees exactly what was tested, when, and how you judged it. No surprises. No findings.

WORKPAPER STAMPED
✓  AT-C 205 Log Payload Reviewed
✓  Professional Skepticism Narrative ≥ 20 chars
✓  CPA Initials: WL
Stamped: 2026-06-09T14:32:00Z
// Export for AI
attestiqa_AIRequest_exception_2026.json
↓ Upload to Claude.ai / ChatGPT
AI_Response_exception_2026.json
↓ Import back → Preview → Apply
No API key. No data transmitted externally.
AI Integration: AICPA ET §1.700 Compliant

AI-Assisted Without the Subprocessor Risk

Export a structured JSON to Claude or ChatGPT, receive a response, import it back with a preview modal. No API key embedded. AttestIQA itself transmits nothing, and every AI export is pseudonymized: the client is identified only by an engagement reference, never by name. The CPA chooses the AI, controls the data, and reviews every response before it touches the workpaper. The AI is the CPA’s tool, not a platform-level subprocessor. Satisfies AICPA ET §1.700 professional independence requirements.

HIPAA Compliance Workpapers
BAA / Subprocessor Register, HIPAA Training Records, Annual Penetration Test, IR Tabletop Exercise, Annual Security Risk Assessment, all in a dedicated evidence tab.
62 Controls Across AWS, IAM, Backup, and Policy
CloudTrail, KMS, Config, GuardDuty, S3, RDS, VPC, MFA, RBAC, MDM, BAA, IR, SRA, and more. Every control maps to SOC 2 TSC, HIPAA Security Rule, ISO 27001:2022 Annex A, AT-C 205, and SSAE 21. Multi-framework workpaper export per control.
28-Step Wizard: Report Writing Under 2 Hours
Report writing drops from 10-plus hours to under 2. Total engagement time cut from 30-50 hours to 15-25 hours. SQMS 1 pre-issuance quality check, Section I-V opinion generation, VRM questionnaire, and board presentation all built in.
AICPA Three-Principle Framework

The Architecture of
Independent Attestation

Principle 01
Data Completeness
Full population boundaries defined before testing begins. Every exclusion is logged. The CPA controls what was tested, and documents what was not.
Principle 02
Continuous Observation
Evidence collected directly by the CPA using AuditorReadOnly credentials. Testing occurs at multiple points across the 12-month observation period, not a point-in-time snapshot.
Principle 03
Immutable Logic
Verbatim test commands published in every workpaper. The exact CLI query that produced the evidence is preserved forever: version-controlled and peer-reviewable.
Compliance Framework Coverage
SOC 2 Type II HIPAA Security Rule ISO 27001:2022 AICPA AT-C 205 SSAE 21 AICPA SQMS 1
How It Works

From Engagement Setup to Signed Opinion:
One Browser Tab

No installation. No cloud sync. No IT subcontractor. All data encrypted in your browser with AES-256-GCM.

Add Client
Enter company name, select TSC scope (Security · Confidentiality · Privacy), employee count, and engagement period.
Run 62 Controls
Log in with AuditorReadOnly credentials. Run the master evidence script. Review actual output vs. expected for each control.
Sign & Stamp
Write the Professional Skepticism Narrative. Verify the raw log payload. ISO-timestamp the attestation.
Issue Opinion
28-step wizard, SQMS 1 quality check, export structured workpapers, generate Section I–V opinion report.
Category Distinction

CPA-Side Attestation vs.
Client-Side Compliance Automation

Vanta and Drata are evidence-collection tools sold to the company being audited. AttestIQA is the CPA’s workpaper platform. They complement each other; they are not in the same category. Health-tech companies: choose a CPA who uses AttestIQA. Your attestation is only as independent as your auditor’s tools.

AttestIQA
SaaS Compliance Platforms
(Vanta  ·  Drata  ·  Similar)
AICPA Independence (ET §1.200.001)
No cross-referral arrangement with auditee
Test logic exposed in workpaper (AT-C 205)
Evidence collected directly by CPA (not vendor-mediated)
AT-C 205.43 peer-review-ready workpapers
ISO 27001 Annex A multi-framework mapping
No IT consultant required for AWS testing
No ongoing SaaS subscription fee
HIPAA BAA / Subprocessor Register built in
SaaS compliance platforms help companies prepare for an audit. AttestIQA is what the CPA uses to conduct the audit. A company using Vanta still requires an independent CPA to issue the SOC 2 Type II report. That is the engagement AttestIQA enables.
Revenue Opportunity

SOC 2 Pays Well.
And Every Client Renews.

Annual examination means every client is a recurring revenue stream. Revenue compounds as your practice grows.

Year 1Year 2Year 3
Engagements / Year 6–1010–1615–22
Net Revenue $58K–$110K $112K–$196K $188K–$293K

Net figures reflect $3,000–$8,000 IT subcontractor savings per engagement. SOC 2 is annual. Every client is a renewal opportunity.

Pricing

Per-Engagement. No Subscription.
No Lock-In.

Pay per engagement, not per month. Contact for current pricing.

Solo Practice
Solo
1–5 engagements / year
  • Full platform: all 62 controls
  • All 5 framework mappings
  • AT-C 205 workpaper export
  • Section I–V report generation
  • 28-step engagement wizard
  • Email support
Contact for Pricing
RECOMMENDED
Growing Practice
Growing
6–15 engagements / year
  • Everything in Solo
  • Volume discount on licenses
  • Priority onboarding call
  • Peer review checklist (PDF)
  • AICPA ENGAGE demo materials
  • Direct phone support
Contact for Pricing
Enterprise / Firm
Enterprise
16+ engagements / year
  • Firm-wide license
  • Custom onboarding & training
  • Co-branded workpaper templates
  • API integration roadmap
  • Dedicated account manager
  • SLA / uptime commitment
Contact for Pricing
Common Questions

Frequently Asked

Those are automated evidence collectors sold to the company being audited; they help prepare for an audit. AttestIQA is the CPA’s workpaper system. It is what the auditor uses to run the engagement. The AICPA’s April 6, 2026 guidance specifically cautioned against platforms that don’t expose test logic to the CPA. They complement each other; one doesn’t replace the other.
AttestIQA itself transmits nothing. It runs 100% locally: no servers, no cloud databases, no subprocessors. The only attack surface is your local machine, which you already control. All engagement data is encrypted at rest with AES-256-GCM using a key derived from your session password via PBKDF2-SHA256 (100,000 iterations). The only data that ever leaves is a pseudonymized AI export the CPA chooses to carry, with the client identified by engagement reference only.
No download needed. AttestIQA is delivered as a web application at attestiqa.com. When we release an update, the new version is live the next time you open attestiqa.com; everyone receives the update automatically at the same time. Your engagement data stays in your browser’s localStorage and carries over to the updated version with no migration needed.
The workflow and report structure follow AT-C 205 (SSAE 21) and align with AICPA Ethics Staff Insights (April 6, 2026, ET §1.200.001). The SQMS 1 pre-issuance quality checklist is built into the engagement wizard. Engagement-specific compliance remains the CPA’s professional responsibility, as it should under any attestation standard.
About & Contact

Meet the Founder.
Get in Touch.

Walter Larkins
Founder & Developer, AttestIQA
Founder & CEO, Sapphire Healthcare AI

Walter Larkins is Founder & CEO of Sapphire Healthcare AI and the developer of AttestIQA. A UCLA graduate and ROTC scholarship winner who attended the U.S. Military Academy at West Point, he served four years as a U.S. Army Captain stationed in Europe, where he attended Boston University’s European Division MBA program. As President and CEO of Endosurgical Development Corp., he led the invention of a minimally invasive heart surgery system acquired by a Johnson & Johnson company. He served on the Board of Directors of NASDAQ-traded En Ponte Technology, Inc., and founded CDR Financial Services, a leading healthcare-focused accounts receivable management company. He holds multiple issued and pending U.S. and international patents.

After two decades building and operating health-tech companies that needed SOC 2 attestations firsthand, he built AttestIQA: because the structured, CPA-grade workpaper platform his CPAs needed simply did not exist.

🌐 WalterLarkins.com 🔗 LinkedIn ✉ Walter@AttestIQA.com

Contact

Walter Larkins
Founder & Developer
Walter@AttestIQA.com
562.449.0394
235 E Broadway, Ste 624, #118
Long Beach, CA 90802

Platform Specs

  • 62 SOC 2 controls across 6 categories
  • 5 framework mappings (SOC 2, HIPAA, ISO 27001, AT-C 205, SSAE 21)
  • 28-step engagement wizard
  • Local AES-256-GCM encryption. No cloud
  • Single-file HTML, fully offline capable
  • Structured JSON workpaper export
  • HIPAA evidence tab (BAA, Training, Pen Test, IR, SRA)
  • AICPA-compliant per Ethics Staff Insights April 6, 2026
System Requirements +
  • Browser: Chrome 90+, Firefox 90+, Safari 14+, Edge 90+
  • Install: None. Visit attestiqa.com in any supported browser. No download or installation required.
  • Internet: Required to access attestiqa.com. Engagement data is stored locally in your browser; it is never transmitted externally.
  • OS: Windows, macOS, Linux. Any OS with a supported browser.
  • Storage: ~5–10 MB browser localStorage for engagement data.
  • Server: None. 100% local. No cloud account. No setup.

Ready to Add SOC 2
to Your Practice?

Launch free. Load the demo client. See a completed SOC 2 Type II engagement in under 5 minutes. No account, no credit card required.

Launch AttestIQA Free →