Four Phases.
Zero Shortcuts.
Every CertPro engagement follows the same structured process — built to reduce burden on your team, not the quality of our examination.
Efficiency Without Compromise
We streamline the audit cycle — but never our standards. Three principles govern every engagement, without exception.
Every control assertion is supported by verifiable, timestamped artifacts. No conclusion is drawn without adequate evidentiary support — period.
Auditors independently verify a risk-based sample of controls outside the evidence platform — including direct system queries and configuration reviews.
We assess control design adequacy, identify anomalies, and evaluate whether evidence reflects the actual control environment — not merely its documentation.
How Every Engagement Runs
A clear, milestone-driven process — from the first call to the final certificate.
Kick-off & Scope
A 30-minute call to confirm audit scope, system boundaries, and engagement timeline. A single point of contact is established on the client side.
Evidence Access
Client shares the evidence repository — G-Drive, SharePoint, or GRC platform. Control matrix reviewed; initial gap list compiled.
Gap Clarification
A structured gap list is issued. A video call reviews each gap collaboratively. Unresolved items are formally documented by severity and TSC mapping.
Report & Certify
Draft report prepared per AT-C Section 205. Independent QA/QC review before issuance. Final signed report and certificates delivered.
Full Transparency.
No Surprises.
Every engagement tracked in Asana with real-time visibility. Timelines shift only when client-dependent tasks exceed indicated windows — all changes documented immediately.
All days are business days (Monday–Friday, excluding public holidays). Any delay caused by insufficient evidence is communicated immediately via email with revised milestone dates.
Licensed. Independent. Accountable.
Every engagement governed by published professional standards. Credentialed auditors. Technology-forward methodology.
Assertion-Based Examination Engagements — the governing attestation standard for all SOC 2 examinations. Combined with AT-C § 105 for independence, skepticism, and evidence requirements.
2017 criteria (updated) applied to SOC 2 Type 1 and Type 2 examinations — covering Security, Availability, Confidentiality, Privacy, and Processing Integrity.
Information security and AI management system standards applied where selected as the engagement framework, alongside ISO 19011 audit guidance.
HIPAA Security Rule and GDPR compliance examinations conducted where applicable to the client's regulatory environment and selected scope.
Safeguards That Are Non-Negotiable
Independence and quality controls are built into every engagement — not added on request.
Documented and retained in the audit file for every engagement without exception — before any fieldwork begins.
Every report reviewed by a QA/QC team member not involved in fieldwork. No report leaves CertPro without this step.
CertPro is enrolled in the AICPA Peer Review Program — providing independent external oversight of audit quality across all engagements.
Audit opinions are formed solely on evidence from the current engagement. Prior-period reports are never used as the basis for a current-period opinion.
Ready to Start Your Audit?
Schedule a free 30-minute scoping call. We'll confirm the right framework, walk through our process, and give you a clear timeline — no commitment required.