Our Assurance Audit Process

Six phases, from readiness to final report. Here is exactly what to expect from a SOC 1 or SOC 2 engagement.

white curve going around main banner slider.

Typical Engagement Timelines

SOC 2 Type I  1–2 months

Point-in-time, often a first engagement

SOC 2 Type II  Report within 1 month of period end

Most common ongoing engagement

SOC 1 Type II  14–24 weeks

For financial reporting service providers

Timelines vary based on environment complexity, scope, and client readiness. Per-phase estimates are shown in each section below.

A Sage Approach to SOC Audits

We structure every SOC engagement, whether SOC 1 or SOC 2, to be collaborative and efficient. Each phase below is designed so you always know where things stand, what is next, and what is expected. No surprises, no wasted effort.

Sage audits team at Ball arena
Sage Audits Team at Ball Arena, Denver, Colorado
01

Readiness Assessment Optional

A readiness assessment helps if this is your first SOC audit, you've recently changed your environment, or you want a clearer picture of where you stand before the examination begins.

Typical duration: 4–8 weeks

  • Purpose of SOC 2 Readiness
    • Identify and document the services and systems to be included in the SOC 2 scope
    • Map your current controls to the applicable Trust Services Criteria (TSC)
    • Determine where gaps or weaknesses exist
    • Help your team prepare the system description and control listing needed for the audit
  • Typical Activities
    • Reviewing policies, procedures, and system documentation
    • Interviewing control owners to understand how your environment is managed
    • Assisting with alignment of controls to the selected TSC categories and points of focus
    • Highlighting control gaps, missing documentation, or areas needing improvement
    • Providing recommendations that help you prepare for the formal audit
  • Management Responsibilities
    • We may assist with drafting the system description but do not assume management responsibilities
    • We do not design or implement controls. Our role is strictly advisory to maintain independence
  • Timing and Deliverables
    • A typical readiness assessment lasts 4–8 weeks
    • Includes a control listing mapped to the TSC
    • Summary of reviewed documentation
    • Identification of any control or documentation gaps

While optional, this phase can save significant time and effort during the actual audit and help you approach your SOC 2 journey with confidence.

02

Defining Scope

We meet with your team to understand your environment, clarify goals, and confirm readiness. This phase helps both sides assess fit, define expectations, and identify pre-engagement requirements needed to maintain independence.

Typical duration: 1–2 weeks

  • Initial Planning Session
    • Meet with management and stakeholders to discuss goals for SOC 2
    • Review the nature of services, infrastructure, and key systems
    • Identify primary control owners and supporting teams
    • Understand what's driving the need for a SOC report (e.g., customer demands, growth, contracts)
  • Determine the Examination Type
    • Decide whether a Type I (point-in-time) or Type II (period-based) report is appropriate
    • Discuss timing, audit history, and whether this is a first-time examination
  • Select Applicable Trust Services Categories
    • Review the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy
    • Select those that align with your customer expectations and service delivery
  • Define System Boundaries
    • Identify the systems, infrastructure, data flows, and locations in scope
    • Note subservice organizations and any exclusions
    • Clarify what is considered out of scope
  • Set Timeline and Align Expectations
    • Outline key dates and engagement milestones
    • Walk through the full audit process to explain what to expect
    • Clarify pre-engagement documentation needs, roles, and communication preferences

This step lays the groundwork for testing and helps ensure the audit proceeds efficiently and accurately.

03

Evidence Gathering & System Definition

Your organization submits a draft control listing, system description, and scope details. We review these and provide a tailored evidence request list specific to your environment.

Typical duration: 2–4 weeks

  • Evidence Submission
    • Upload files directly to our audit platform for a streamlined process
    • Receive a customized list of requested items based on your control set and system design
  • Evidence Quality Guidance
    • Learn what constitutes strong evidence
    • Understand completeness and accuracy requirements
    • Receive tips for preparing screenshots, exports, and other artifacts
  • System Description Collaboration
    • Refine Section 3 of your report (the System Description)
    • Clarify how your services, systems, and controls work together
    • Ensure a near-final draft is ready by the end of this phase

This step lays the groundwork for testing and helps ensure the audit proceeds efficiently and accurately.

See how our audit platform makes evidence collection easier →

04

Testing and Validation

The core phase. We independently test your controls to determine whether they are designed effectively and, for Type II reports, whether they operated effectively throughout the audit period.

Typical duration: 4–8 weeks (Type II) · 2–3 weeks (Type I)

  • Control Effectiveness Testing
    • Review submitted evidence and test whether controls meet the Trust Services Criteria
    • Evaluate control design and operational effectiveness over time (for Type II reports)
  • Sampling and Validation
    • Select samples from relevant populations to assess completeness, accuracy, and consistency
    • Use testing procedures aligned with the AICPA standards
  • Ongoing Communication
    • Conduct follow-up calls and status meetings as needed
    • Address questions or gaps through ongoing dialogue with your team
  • Exception Handling
    • Discuss any findings or issues before finalizing results
    • Collaborate on clarification or remediating documentation if needed

This phase results in a complete set of validated test results that support our final assurance opinion.

05

QA Review and Draft Report Preparation

We perform a thorough QA review of all testing and documentation to ensure everything meets professional standards before preparing the draft report. We target a draft report within two weeks of completing fieldwork.

Typical duration: approximately 2 weeks

  • Internal QA Review
    • Audit team conducts a detailed review of all testing procedures and supporting evidence
    • Confirm that testing aligns with the selected Trust Services Criteria and audit scope
  • Draft Report Preparation
    • Prepare a complete draft report for internal and client review
    • Ensure descriptions and results accurately reflect the engagement and testing outcomes
  • Client Review and Feedback
    • Share draft with management for review and comments
    • Discuss any revisions needed to the system description or control language
06

Final Report Delivery

Once management approves the draft and open items are resolved, we finalize the report. The finished document is ready to share with customers, partners, and regulators.

Typical duration: 1–2 weeks after management approval

  • Final Report Contents
    • Our auditor opinion letter on the design and effectiveness of your controls
    • The management assertion describing the system and controls
    • The finalized system description (Section 3)
    • A detailed list of the controls tested and our independent results of that testing
  • Distribution and Use
    • The final report can be shared with User Entities, your customers, regulators, or business partners
AICPA SOC for Service Organizations seal

Common Questions

Frequently Asked Questions

A SOC 1 report addresses controls relevant to clients' financial reporting. A SOC 2 report assesses security, availability, processing integrity, confidentiality, and privacy under the AICPA Trust Services Criteria. The right report depends on the type of services you provide and what your customers require.

A Type I report evaluates whether your controls are suitably designed at a specific point in time. A Type II report assesses both design and operating effectiveness over a period, typically 6 to 12 months. Enterprise customers generally require a Type II report.

A SOC 2 Type I typically takes one to two months from kickoff to report issuance. A SOC 2 Type II depends on your examination period (3 to 12 months), with the report issued within one month of period end. Including an optional readiness assessment adds 4 to 8 weeks. SOC 1 timelines are similar. The duration depends on environment complexity, how quickly evidence can be gathered, and client readiness.

We start with a planning session to understand your environment before generating evidence requests. Once scope is defined, we provide a customized evidence list specific to your control set. Typical starting documents include your information security policy, risk assessment, and vendor management inventory.

A bridge letter is a management representation that covers the gap between your audit period end date and the date a customer needs to see current coverage. This is common when renewing annually and a customer needs assurance before your next report is issued. We assist clients with bridge letters as part of ongoing engagements.

We raise potential gaps with your team directly before finalizing any results. Most issues surface during the readiness phase or early fieldwork, giving time to remediate. We do not design or implement controls, but we clearly explain what we found and what evidence or documentation would address it.

Yes. We accept evidence in any format, including exports, screenshots, and reports from GRC platforms. We evaluate that evidence independently rather than accepting a platform's assertion of compliance. Using a GRC tool does not change our testing procedures.

Partner-level involvement throughout the engagement is how we operate. You work directly with a partner from scoping through report delivery. You are not handed off to junior staff after kickoff. The same partner who plans the engagement reviews the testing and signs the final report.

Jordan Novak, Managing Partner

Behind Sage Audits

I'm Jordan Novak, Managing Partner at Sage Audits LLP, with a background in Big Four public accounting and internal IT audit leadership. As independent auditors, we provide objective opinions on control design and operating effectiveness, with clear reporting, open communication, and a collaborative approach aligned to your business.

Learn more about our firm

Transparent Pricing

Get Your
Custom Quote

Our interactive calculator gives you a transparent estimate based on your organization's size, scope, and compliance requirements. Submit your information and receive a custom quote within 1 business day. No guesswork, no surprises.

Calculate Your Price

What the Estimate Covers

  • SOC 1 or SOC 2 audit scope
  • Organization size and complexity
  • Readiness assessment, if needed
  • Advisory or consulting add-ons
  • Delivered to your inbox, no obligation