Our SOC 2 Audit Engagment Process

Effective, clear, and tech-powered SOC audits.

white curve going around main banner slider.

A Sage Approach

Your time is valuable, and going through a SOC 2 audit shouldn’t feel like a mystery. This page outlines what to expect at each phase of the engagement so you’re never left wondering where things stand or what’s next. We believe in open communication, clear expectations, and making the most of your efforts throughout the audit process.

Every step of the audit engagement process is structured to be collaborative and efficient. We guide you through each phase so there are no surprises and no wasted effort. Throughout the engagement, we hold regular check-in meetings or schedule sessions as needed to keep communication clear and ensure progress stays on track. Our team handles the assurance work while keeping you informed, involved, and confident about where things stand.

Sage audits team at Ball arena
Sage Audits Team at Ball Arena - Denver, Colorado

1. Readiness Assessment (Optional and Recommended)

Before beginning your SOC 2 examination, it’s often beneficial to conduct a readiness assessment—especially if this is your first SOC 2 audit, you've recently made major changes to your environment, or you want a clearer understanding of where you stand.

  • Purpose of Readiness
    • Identify and document the services and systems to be included in the SOC 2 scope
    • Map your current controls to the applicable Trust Services Criteria (TSC)
    • Determine where gaps or weaknesses exist
    • Help your team prepare the system description and control listing needed for the audit
  • Typical Activities
    • Reviewing policies, procedures, and system documentation
    • Interviewing control owners to understand how your environment is managed
    • Assisting with alignment of controls to the selected TSC categories and points of focus
    • Highlighting control gaps, missing documentation, or areas needing improvement
    • Providing recommendations that help you prepare for the formal audit
  • Management Responsibilities
    • We may assist with drafting the system description but do not assume management responsibilities
    • We do not design or implement controls—our role is strictly advisory to maintain independence
  • Timing and Deliverables
    • A typical readiness assessment lasts 4–8 weeks
    • Includes a control listing mapped to the TSC
    • Summary of reviewed documentation
    • Identification of any control or documentation gaps

While optional, this phase can save significant time and effort during the actual audit and help you approach your SOC 2 journey with confidence.

2. Defining Scope

Before work begins, we typically meet with prospective clients to understand their environment, clarify goals, and determine the appropriate path forward. This information gathering phase helps both sides assess fit, define expectations, and confirm readiness for the engagement. It’s also when we identify any pre-engagement requirements needed to maintain independence and meet professional standards.

  • Initial Planning Session
    • Meet with management and stakeholders to discuss goals for SOC 2
    • Review the nature of services, infrastructure, and key systems
    • Identify primary control owners and supporting teams
    • Understand what’s driving the need for a SOC report (e.g., customer demands, growth, contracts)
  • Determine the Examination Type
    • Decide whether a Type I (point-in-time) or Type II (period-based) report is appropriate
    • Discuss timing, audit history, and whether this is a first-time examination
  • Select Applicable Trust Services Categories
    • Review the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy
    • Select those that align with your customer expectations and service delivery
  • Define System Boundaries
    • Identify the systems, infrastructure, data flows, and locations in scope
    • Note subservice organizations and any exclusions
    • Clarify what is considered out of scope
  • Set Timeline and Align Expectations
    • Outline key dates and engagement milestones
    • Walk through the full audit process to explain what to expect
    • Clarify pre-engagement documentation needs, roles, and communication preferences

This step lays the groundwork for testing and helps ensure the SOC 2 audit proceeds efficiently and accurately.

3. Evidence Gathering & System Definition

This phase focuses on collecting documentation and defining how the system operates in relation to the Trust Services Criteria. The organization submits a draft of its control listing, system description, and scope details. Based on this, we provide a tailored evidence request list to your team specific to the environment.

  • Evidence Submission
    • Upload files directly to our audit platform for a streamlined process
    • Receive a customized list of requested items based on your control set and system design
  • Evidence Quality Guidance
    • Learn what constitutes strong evidence
    • Understand completeness and accuracy requirements
    • Receive tips for preparing screenshots, exports, and other artifacts
  • System Description Collaboration
    • Refine Section 3 of your SOC 2 report (System Description)
    • Clarify how your services, systems, and controls work together
    • Ensure a near-final draft is ready by the end of this phase

This step lays the groundwork for testing and helps ensure the SOC 2 audit proceeds efficiently and accurately.

4. Testing and Validation

This is the core phase of the SOC 2 audit. We independently test your controls to determine whether they are designed effectively and, in the case of a Type II, whether they operated effectively throughout the audit period.

  • Control Effectiveness Testing
    • Review submitted evidence and test whether controls meet the Trust Services Criteria
    • Evaluate control design and operational effectiveness over time (for Type II reports)
  • Sampling and Validation
    • Select samples from relevant populations to assess completeness, accuracy, and consistency
    • Use testing procedures aligned with the AICPA standards
  • Ongoing Communication
    • Conduct follow-up calls and status meetings as needed
    • Address questions or gaps through ongoing dialogue with your team
  • Exception Handling
    • Discuss any findings or issues before finalizing results
    • Collaborate on clarification or remediating documentation if needed

This phase results in a complete set of validated test results that support our final assurance opinion.

5. QA Review and Draft Report Preparation

Before issuing the final SOC 2 report, we perform a thorough quality assurance (QA) review of our testing and documentation to ensure everything meets professional standards and supports our conclusion.

  • Internal QA Review
    • Audit team conducts a detailed review of all testing procedures and supporting evidence
    • Confirm that testing aligns with the selected Trust Services Criteria and audit scope
  • Draft Report Preparation
    • Prepare a complete draft of the SOC 2 report for internal and client review
    • Ensure descriptions and results accurately reflect the engagement and testing outcomes
  • Client Review and Feedback
    • Share draft with management for review and comments
    • Discuss any revisions needed to the system description or control language

6. Final Reporting and Delivery

After management approves the draft and all open items are resolved, we finalize the SOC 2 report. This document provides formal assurance that your controls were assessed according to the selected Trust Services Criteria.

  • Final Report Contents
    • Our auditor opinion letter on the design and effectiveness of your controls
    • The management assertion describing the system and controls
    • The finalized system description (Section 3)
    • A detailed list of the controls tested and our independent results of that testing
  • Distribution and Use
    • The final report can be shared with User Entities, your customers, regulators, or business partners
AICPA SOC 2 Logo
Jordan Novak, Managing Partner

Behind Sage Audits

Hi, I'm Jordan Novak, Managing Partner at Sage Audits LLP. I've built my career around helping organizations like yours navigate the complex world of IT audits, SOC reporting, and risk management.

With a background in both Big Four public accounting and internal IT audit leadership, Sage Audits brings a balanced and practical perspective to every engagement. As an independent auditor, our role is to provide an objective opinion on the design and operating effectiveness of controls. We focus on clear reporting, open communication, and aligning the audit with how your business actually functions.

I enjoy IT Audit and GRC topics, I love learning about new environments and technology along the way. Sage Audits exists as some CPA firms can be too rigid, too generic, and not as collaborative as they should be (there are nuances to this too). Common-sense decisions can get delayed by layers of governance, and big teams sometimes miss the details that matter. The Sage Audits approach is to focus on our team working with you to be a partner for compliance and IT audit reports.

We stay objective and give you honest feedback. Learn more about our firm. Reach out and contact us for a free consultation if you would like to learn more about our servcies.

Let's Get Started