Four Phases.
Zero Shortcuts.
Every CertPro engagement follows the same structured process — built to reduce burden on your team, not the quality of our examination.
Efficiency Without Compromise
We streamline the audit cycle — but never our standards. Three principles govern every engagement, without exception.
Every control assertion is supported by verifiable, timestamped artifacts. No conclusion is drawn without adequate evidentiary support — period.
Auditors independently verify a risk-based sample of controls outside the evidence platform — including direct system queries and configuration reviews.
We assess control design adequacy, identify anomalies, and evaluate whether evidence reflects the actual control environment — not merely its documentation.
How Every Engagement Runs
A clear, milestone-driven process — from the first call to the final certificate.
Kick-off & Scope
A 30-minute call to confirm audit scope, system boundaries, and engagement timeline. A single point of contact is established on the client side.
Evidence Access
Client shares the evidence repository — G-Drive, SharePoint, or GRC platform. Control matrix reviewed; initial gap list compiled.
Gap Clarification
A structured gap list is issued. A video call reviews each gap collaboratively. Unresolved items are formally documented by severity and TSC mapping.
Reporting
Draft report prepared per AT-C Section 205. Independent QA/QC review before issuance. Final signed report and certificates delivered.
Licensed. Independent. Accountable.
All engagements are performed under established professional standards by qualified audit professionals.
Assertion-based examination engagements governing SOC 2 examinations. Applied alongside AT-C Section 105 for independence, evidence, and professional conduct.
Used for SOC 2 Type 1 and Type 2 engagements across: Security, Availability, Confidentiality, Processing Integrity, and Privacy.
Applied for information security and AI management system audits, supported by ISO 19011 audit guidance.
HIPAA Security Rule and GDPR compliance assessments are conducted where applicable to the client's regulatory environment and selected scope.
Safeguards That Are Non-Negotiable
Independence and quality controls are built into every engagement — not added on request.
Documented and retained in the audit file for every engagement without exception — before any fieldwork begins.
Every report reviewed by a QA/QC team member not involved in fieldwork. No report leaves CertPro without this step.
CertPro is enrolled in the AICPA Peer Review Program — providing independent external oversight of audit quality across all engagements.
Audit opinions are formed solely on evidence from the current engagement. Prior-period reports are never used as the basis for a current-period opinion.
Begin Your Compliance Audit with a
Licensed CPA Firm.
Schedule a 30-minute scoping call with a credentialed auditor. We'll identify the right framework, discuss audit scope and outline a clear path based on your current state.