SOC 2 Certification in Chicago

SOC 2 engagements are structured as either Type 1 or Type 2 assessments, and the distinction is fundamental to understanding the scope and evidentiary weight of each report. SOC 2 Type 1 certification in Chicago evaluates whether an organization’s controls are suitably designed and implemented as of a specific point in time. SOC 2 Type 2 audit in Chicago evaluates whether those same controls operated effectively over a defined audit period — typically six to twelve months. The Type 2 report carries substantially greater evidentiary weight because it confirms sustained operational effectiveness, not merely the existence of controls at a single snapshot date.

SOC 2 Type 1: Point-in-Time Design Evaluation

A SOC 2 Type 1 report is issued by a Licensed CPA Firm following an evaluation of whether the controls documented in an organization’s system description are suitably designed to meet the applicable Trust Services Criteria as of a specific date. The Licensed CPA Firm examines control documentation, system architecture, policy frameworks, and configurations to determine whether each control — if operating as described — would achieve its stated objective. No extended evidence collection over time is required. The audit focuses entirely on design adequacy at the point of evaluation.

For Chicago organizations entering the SOC 2 process for the first time, a Type 1 assessment provides a documented baseline establishing the design and implementation of controls before a Type 2 audit period begins. Enterprise clients that require SOC 2 reports from vendors frequently accept a Type 1 report as an interim measure while the organization completes its first full Type 2 audit cycle. Chicago fintech and SaaS companies at early or mid-growth stages often pursue Type 1 first to satisfy immediate client demands while building toward the more rigorous Type 2 attestation.

SOC 2 Type 2: Operational Effectiveness Over Time

A SOC 2 Type 2 audit engagement in Chicago evaluates whether controls were not only suitably designed but also operated continuously and effectively throughout the audit period. The Licensed CPA Firm collects and evaluates samples of operational evidence across the full audit window — typically six to twelve months — including access logs, change management records, incident documentation, vendor review records, and personnel training completions. The resulting attestation report includes the auditor’s opinion on both design adequacy and operating effectiveness, making it the definitive standard for enterprise vendor due diligence.

Chicago enterprises, FTSE-listed organizations with Chicago operations, and Fortune 500 companies procuring technology and data services almost universally require SOC 2 Type 2 reports from their vendors. A Type 2 attestation demonstrates that security commitments are maintained operationally — not merely documented. For Chicago SaaS providers, logistics technology companies, and financial services platforms, a current SOC 2 Type 2 report frequently serves as the primary differentiator in competitive enterprise sales processes and the primary evidence document in regulatory and investor security reviews.

The AICPA Trust Services Criteria define the specific control categories that a Licensed CPA Firm evaluates during a SOC 2 audit. Each criterion addresses a distinct dimension of organizational control over data and system security. Understanding all five criteria is essential for Chicago businesses determining the scope of their SOC 2 engagement and the controls that must be demonstrated to the auditor. The Security criterion is mandatory in every SOC 2 report. The remaining four are included based on service commitments, contractual obligations, and client expectations.

The Security criterion — formally designated the Common Criteria — addresses whether the system is protected against unauthorized access, both logical and physical. It encompasses access controls, encryption, network security, monitoring and logging, change management, and risk management processes. Every SOC 2 attestation report, whether Type 1 or Type 2, must include an evaluation of the Security criterion. For Chicago technology companies, financial services platforms, and logistics providers, the Security criterion typically represents the largest and most documentation-intensive component of the audit scope.

The Security criterion is structured around seventeen Common Criteria groupings that address logical and physical access controls, system operations, change management, and risk mitigation. A Licensed CPA Firm evaluates each applicable Common Criterion by examining control documentation, system configurations, access provisioning records, vulnerability management evidence, and operational logs. Chicago organizations with complex cloud infrastructure — including those operating across multiple data centers or leveraging AWS, Azure, and Google Cloud environments in Chicago-area facilities — must demonstrate that Security controls extend consistently across all in-scope environments.

The Availability criterion evaluates whether the system is available for operation and use as committed in service level agreements and system descriptions. Chicago SaaS providers and cloud platform operators frequently include Availability in their SOC 2 scope to substantiate uptime commitments to enterprise clients. The Processing Integrity criterion addresses whether system processing is complete, valid, accurate, timely, and authorized — a critical consideration for Chicago fintech companies processing financial transactions, payment platforms, and trading systems where processing errors carry direct financial and regulatory consequences.

The Confidentiality criterion evaluates controls protecting information designated as confidential from collection through disposal. Chicago professional services firms, legal technology companies, and enterprise software providers frequently include Confidentiality in their SOC 2 scope to demonstrate data handling integrity to corporate clients. The Privacy criterion evaluates the organization’s collection, use, retention, disclosure, and disposal of personal information in accordance with applicable commitments and law — including alignment with Illinois data privacy requirements and GDPR obligations for Chicago businesses with EU operations or EU-based client relationships.

• ✓Security (Common Criteria): Mandatory in all SOC 2 reports; covers logical and physical access, encryption, monitoring, change management, and risk management
• ✓Availability: Evaluates system uptime and operational availability against service commitments; relevant for SaaS and cloud platforms
• ✓Processing Integrity: Confirms that system processing is complete, accurate, timely, and authorized; critical for fintech and transaction processing environments
• ✓Confidentiality: Addresses protection of information designated as confidential from collection through secure disposal
• ✓Privacy: Evaluates personal information handling practices against AICPA privacy principles, Illinois data privacy law, and GDPR where applicable

• ✓Security (Common Criteria) — The Mandatory Foundation
• ✓Availability, Processing Integrity, Confidentiality, and Privacy

The SOC 2 certification process follows a defined sequence of audit stages governed by AICPA AT-C Section 205. Each stage produces specific outputs that inform subsequent stages, and the Licensed CPA Firm maintains professional independence throughout the engagement. Chicago organizations pursuing SOC 2 Certification in Chicago should understand each stage to align internal timelines, resource allocation, and stakeholder communication with the audit schedule. The steps below describe the complete audit process as executed by a Licensed CPA Firm.

1. Scope Definition: The Licensed CPA Firm and the organization jointly define the system boundaries, applicable Trust Services Criteria, and the services and infrastructure included in the audit scope. Scope definition determines which controls will be evaluated and which environments, data flows, and personnel are subject to audit procedures.
2. Audit Program Determination: The Licensed CPA Firm develops the audit program specifying the procedures, evidence types, and sampling methodologies applicable to each in-scope Trust Services Criterion. The audit program is calibrated to the complexity of the organization’s system and the duration of the audit period.
3. System Description Review: The organization produces a formal system description documenting the boundaries, components, and operational characteristics of the in-scope system. The Licensed CPA Firm evaluates the system description for completeness and accuracy before proceeding to substantive testing.
4. Stage 1 Audit (Design Evaluation): The Licensed CPA Firm evaluates whether controls documented in the system description are suitably designed to achieve the applicable Trust Services Criteria. For a Type 1 engagement, Stage 1 constitutes the primary audit activity. For a Type 2 engagement, Stage 1 precedes the operational effectiveness testing period.

1. Control Testing (Type 2 Only): The Licensed CPA Firm collects and evaluates operational evidence across the full audit period. Testing includes inquiry, observation, inspection of documentation, and re-performance of control procedures. Evidence samples are drawn from the complete audit window to assess sustained operational effectiveness.
2. Nonconformity Review: The Licensed CPA Firm identifies and documents any exceptions, deviations, or deficiencies observed during control testing. Management responses to identified exceptions are included in the attestation report. Material deviations may result in a qualified opinion.
3. Certification Decision: The Licensed CPA Firm formulates its attestation opinion based on the totality of evidence evaluated. The opinion may be unqualified (controls meet the criteria), qualified (specific exceptions noted), or adverse (controls do not meet the criteria).
4. Issuance of SOC 2 Attestation Report: The Licensed CPA Firm issues the formal SOC 2 attestation report under AICPA AT-C Section 205. The report includes the auditor’s opinion, the system description, the description of tests performed, and the results of testing. It is issued to the organization and made available to specified user entities.
5. Surveillance and Recertification: SOC 2 attestation reports are current for twelve months. Organizations must complete annual audit cycles to maintain current certified status and meet ongoing client and contractual requirements.

Chicago organizations with complex multi-cloud environments, distributed teams, or third-party service provider dependencies should expect the audit process to require structured coordination across IT, security, legal, and operations functions. The Licensed CPA Firm conducting the SOC 2 audit will request evidence from multiple organizational sources. The completeness and quality of evidence provided directly affects the efficiency of the audit timeline and the clarity of the final attestation report.

• ✓Stages 1 Through 4: Scope Definition to Control Documentation
• ✓Stages 5 Through 8: Testing, Review, Decision, and Attestation

SOC 2 compliance requirements for Chicago businesses are defined by the AICPA Trust Services Criteria and operationalized through specific control categories that the Licensed CPA Firm evaluates during the audit. Chicago organizations must demonstrate that controls addressing each applicable criterion are documented, implemented, and — in the case of a Type 2 engagement — operated effectively throughout the audit period. The requirements below represent the substantive control areas subject to evaluation in a standard SOC 2 audit for Chicago businesses.

Technical requirements for SOC 2 compliance in Chicago address the security architecture and operational controls governing the in-scope system. Chicago organizations must demonstrate logical access controls enforcing least-privilege principles, multi-factor authentication for privileged and remote access, encryption of data in transit and at rest, network segmentation and boundary protection, a vulnerability management program with regular scanning and remediation, and security event monitoring through centralized logging systems. Data center operations — whether in-house, co-located, or hosted in cloud environments — must demonstrate that physical security controls are in place and verified.

Change management controls require that all changes to in-scope systems follow a documented and authorized process. The Licensed CPA Firm evaluates change management by examining change request records, approval documentation, testing evidence, and deployment logs across the audit period. Chicago SaaS companies operating continuous deployment pipelines must demonstrate that security review is integrated into their CI/CD processes and that unauthorized or untested changes are prevented from reaching production environments. Centralized log management systems — collecting, indexing, and correlating security events across all in-scope infrastructure — are a fundamental technical requirement that the auditor evaluates for completeness and retention adequacy.

Documentation requirements for SOC 2 compliance establish the evidentiary foundation that the Licensed CPA Firm evaluates during the audit. Required documentation includes a formal information security policy, access control policy and procedures, incident response plan with activation records, business continuity and disaster recovery plan with test results, vendor management policy and third-party risk assessment records, and employee security training completion records. Each policy must be current, formally approved by management, and demonstrably operationalized through corresponding procedures and control activities.

For Chicago organizations, documentation requirements extend to vendor and subservice provider management. Where in-scope systems rely on third-party cloud providers, payment processors, or data center operators, the organization must document vendor security assessments, contractual security requirements, and ongoing monitoring activities. Chicago businesses leveraging AWS, Microsoft Azure, or Google Cloud infrastructure may reference the cloud provider’s existing SOC 2 reports as complementary user entity controls, provided the organization documents how it relies on and monitors those controls within its own system description.

• ✓Documented information security policy approved by senior management and reviewed annually
• ✓Access control procedures with evidence of least-privilege enforcement and periodic access reviews
• ✓Multi-factor authentication deployed for all privileged accounts and remote access
• ✓Encryption controls for data in transit (TLS 1.2 minimum) and data at rest
• ✓Vulnerability management program with documented scanning schedules and remediation timelines
• ✓Centralized security event logging with defined retention periods and monitoring procedures
• ✓Change management process with documented approval, testing, and deployment records
• ✓Incident response plan with activation records, investigation logs, and post-incident reviews
• ✓Business continuity and disaster recovery plan with documented test results
• ✓Vendor management policy with third-party security assessments and contractual security requirements
• ✓Employee security awareness training program with completion records across the audit period

• ✓Technical and Infrastructure Requirements
• ✓Documentation and Policy Requirements

SOC 2 certification demand among Chicago financial services organizations, technology platforms, and healthcare IT firms reflects the diversity of Chicago’s economic ecosystem. Chicago ranks among the most significant financial centers in the United States, with major exchanges, trading firms, insurance companies, and banking institutions driving demand for SOC 2 attestation across the technology supply chain. The sectors below represent the primary drivers of SOC 2 demand in the Chicago market, each with distinct Trust Services Criteria emphasis and audit scope considerations.

Fintech and Financial Services

SOC 2 compliance for Chicago fintech companies involves some of the most demanding audit requirements of any sector. Chicago’s position as a global derivatives and equities trading hub — anchored by the CME Group, CBOE, and a dense ecosystem of proprietary trading firms — creates extensive third-party vendor scrutiny. Fintech platforms serving Chicago’s financial institutions must demonstrate Security, Availability, and Processing Integrity controls to satisfy procurement requirements from regulated counterparties. The Processing Integrity criterion is particularly critical for platforms involved in transaction execution, settlement, or financial data aggregation, where processing errors carry direct regulatory and financial liability.

Chicago fintech companies seeking SOC 2 Certification in Chicago must also address the intersection of SOC 2 obligations with financial regulatory requirements from the CFTC, SEC, FINRA, and Illinois Department of Financial and Professional Regulation. A SOC 2 Type 2 audit engagement for a Chicago fintech firm frequently addresses control environments that overlap with multiple regulatory frameworks simultaneously. The Licensed CPA Firm conducting the SOC 2 audit evaluates controls strictly against the Trust Services Criteria, but organizations benefit from controls designed to satisfy multiple regulatory requirements within a unified framework.

Healthcare IT and Healthtech

Chicago’s extensive healthcare ecosystem — including major academic medical centers, regional hospital networks, and a growing healthtech startup sector — generates substantial demand for SOC 2 attestation among health IT vendors. Healthcare organizations in Illinois are subject to HIPAA obligations requiring business associates and technology vendors to demonstrate adequate security controls. While HIPAA and SOC 2 are distinct frameworks, a SOC 2 Type 2 attestation addressing Security, Confidentiality, and Privacy criteria provides a rigorous, independently verified evidence base that Chicago health IT organizations can present to covered entity clients as evidence of control effectiveness.

SaaS, Logistics Technology, and Professional Services

Chicago’s SaaS ecosystem spans enterprise software, legal technology, HR platforms, and marketing technology — each facing enterprise client procurement requirements that mandate current SOC 2 Type 2 reports. SOC 2 audits in this sector most commonly address Security and Confidentiality criteria, with Availability added for platforms with contractual uptime commitments. Chicago’s logistics technology sector — serving one of the largest freight and supply chain corridors in North America — faces SOC 2 demand from Fortune 500 shippers and third-party logistics providers that require attestation as a condition of integration partnership.

Professional services firms in Chicago — including legal, accounting, and management advisory organizations — increasingly pursue SOC 2 Certification in Chicago to address client data handling expectations. As these firms adopt cloud-based practice management platforms and handle sensitive client data in digital environments, enterprise and institutional clients require demonstrated evidence of security control effectiveness rather than policy representations alone. SOC 2 certification provides professional services firms with a formally issued attestation that satisfies client due diligence requirements and differentiates the firm in competitive proposal processes.

SOC 2 Certification in Chicago delivers measurable operational, commercial, and risk management outcomes for organizations that complete the audit process and receive an issued attestation report. The benefits below are documented consequences of holding a current SOC 2 attestation in the Chicago market — where enterprise procurement standards, regulatory scrutiny, and competitive differentiation are particularly pronounced.

• ✓Enterprise sales acceleration: A current SOC 2 Type 2 report satisfies vendor security questionnaire requirements from Fortune 500 and FTSE-listed organizations headquartered or operating in Chicago, eliminating a common sales cycle delay
• ✓Regulatory alignment: SOC 2 attestation provides independently verified evidence of control effectiveness supporting compliance with Illinois data privacy regulations, HIPAA obligations for health IT vendors, and GDPR requirements for Chicago businesses with EU operations
• ✓Investor and board confidence: SOC 2 Type 2 attestation provides institutional investors, board members, and audit committees with independent confirmation that security controls are operationally effective
• ✓Cyber insurance qualification: Many cyber insurance underwriters accept or require SOC 2 Type 2 reports as part of policy underwriting, and organizations with current attestation reports frequently qualify for more favorable coverage terms
• ✓Third-party risk reduction: SOC 2 attestation issued by a Licensed CPA Firm provides contractual counterparties with verified evidence of control effectiveness, reducing the need for individual client-conducted security assessments
• ✓Competitive differentiation: In competitive procurement processes among Chicago SaaS, fintech, and logistics technology providers, a current SOC 2 Type 2 report distinguishes the organization from competitors that cannot provide independent attestation
• ✓Internal control maturity: The SOC 2 audit process identifies control gaps and operational weaknesses, improving the organization’s overall security posture as a direct consequence of independent audit scrutiny
• ✓Client retention: Existing enterprise clients in regulated industries require annual renewal of SOC 2 attestation as a condition of continued vendor qualification, making annual SOC 2 recertification an ongoing client retention mechanism

Chicago businesses operating in regulated sectors benefit from SOC 2 attestation’s ability to serve as independent evidence of control effectiveness across multiple regulatory contexts simultaneously. Illinois has enacted data breach notification requirements under the Personal Information Protection Act (PIPA) that apply to businesses collecting personal information of Illinois residents. SOC 2 attestation does not substitute for PIPA compliance, but organizations with current SOC 2 Type 2 reports are better positioned to demonstrate that security controls are in place and operating effectively — directly relevant to regulatory inquiry following a data security incident.

Chicago companies with operations, clients, or data subjects in the European Union face GDPR obligations regarding data protection and security. While GDPR does not prescribe SOC 2 as a required certification framework, Article 32 requires organizations to implement appropriate technical and organizational measures to ensure data security. A SOC 2 Type 2 attestation covering Security and Privacy criteria provides externally verified evidence that such measures are in place and operational — directly relevant to GDPR accountability documentation requirements and ICO enforcement inquiries for Chicago businesses handling UK personal data post-Brexit.

• ✓SOC 2 Certification and Chicago’s Regulatory Landscape

The cost of SOC 2 Certification in Chicago varies based on organizational size, system complexity, the number of Trust Services Criteria in scope, audit period duration, and the engagement type (Type 1 or Type 2). Chicago organizations should account for both the direct audit fees charged by the Licensed CPA Firm and the internal resource investment required to support the audit process with documentation, evidence provision, and personnel availability.

Audit Fee Structure and Cost Drivers

The primary cost drivers in a SOC 2 audit engagement are system complexity, the number of Trust Services Criteria in scope, the number of in-scope system components and environments, and the audit period duration. Chicago organizations with multi-cloud infrastructure spanning AWS, Azure, and on-premises data center environments face higher audit complexity than single-environment organizations. Each additional in-scope environment requires the Licensed CPA Firm to extend testing procedures, collect additional evidence samples, and evaluate a broader set of controls — all of which increase audit hours and associated fees.

Timeline for SOC 2 Certification in Chicago

The timeline for completing SOC 2 Certification in Chicago depends on the audit type and the organization’s state of control documentation and implementation at audit initiation. A SOC 2 Type 1 engagement typically requires four to eight weeks from audit commencement to report issuance, assuming the system description and control documentation are complete and available for auditor review. A SOC 2 Type 2 engagement requires the full audit period to elapse before testing can be completed. An organization beginning a twelve-month audit period in January cannot receive the Type 2 attestation report until February or March of the following year, following completion of fieldwork and report drafting.

Chicago organizations facing immediate client demands for SOC 2 attestation should note that six months is the minimum duration for a Type 2 audit period. Organizations without a prior SOC 2 report typically pursue a Type 1 engagement first — which can be completed within weeks — and then initiate the Type 2 audit period concurrently. This approach allows Chicago businesses to provide clients with a Type 1 report as interim evidence while the Type 2 audit period accumulates the operational evidence required for the more definitive attestation.

CertPro is a Licensed CPA Firm authorized to conduct SOC 2 attestation engagements under AICPA AT-C Section 205. This credential is not shared by IT firms, management consultancies, or cybersecurity vendors — only Licensed CPA Firms hold the professional authority to issue SOC 2 attestation reports recognized by enterprise clients, financial regulators, and institutional investors. Chicago organizations engaging CertPro for SOC 2 Certification in Chicago receive an attestation report issued by a firm operating under the professional standards, independence requirements, and quality control obligations applicable to Licensed CPA Firms under AICPA and state board regulations.

Licensed CPA Firm Authority and AICPA Standards

The AICPA AT-C Section 205 framework establishes the professional standards under which Licensed CPA Firms conduct attestation engagements. CertPro’s audit professionals operate under these standards for every SOC 2 engagement, maintaining the independence, objectivity, and professional skepticism required by the attestation framework. Independence requirements prohibit the Licensed CPA Firm from providing services that would impair its ability to issue an objective attestation opinion. CertPro does not provide implementation services, security consulting, or advisory engagements for organizations it audits — preserving the independence that is foundational to the attestation’s credibility.

CertPro’s SOC 2 audit teams bring direct experience with the control environments common among Chicago’s fintech, SaaS, healthtech, and logistics technology sectors. The firm’s audit programs are designed to evaluate controls efficiently while maintaining the rigor required by AICPA standards. Chicago organizations engaging CertPro for a SOC 2 audit benefit from a structured process that minimizes disruption to operations while producing attestation reports that satisfy the requirements of enterprise procurement teams, financial regulators, and institutional counterparties.

CertPro’s SOC 2 Audit Scope and Chicago Market Presence

CertPro conducts SOC 2 audit engagements in Chicago across all five Trust Services Criteria, for both Type 1 and Type 2 assessments, and for organizations ranging from early-stage startups to large enterprise platforms. The firm’s audit scope methodology is calibrated to the specific system boundaries, service commitments, and control environment of each client organization. Chicago organizations with complex multi-tenant SaaS architectures, hybrid cloud environments, or third-party subservice provider dependencies receive audit programs tailored to the unique control risks and evidence requirements of their specific system configuration.

CertPro provides fixed-scope pricing for SOC 2 engagements, enabling Chicago organizations to budget accurately for their certification investment without exposure to open-ended hourly billing. The firm’s audit process is structured to minimize the time burden on client personnel while maintaining the evidence completeness required by AICPA standards. Organizations that have engaged CertPro for SOC 2 Certification in Chicago include technology platforms, financial services providers, healthcare IT firms, and professional services organizations across the Chicago metropolitan area — reflecting the breadth of sectors that require SOC 2 certification as a condition of enterprise market participation.

SOC 2 attestation engagements in Chicago require systematic evidence collection across all in-scope control areas throughout the audit period. The Licensed CPA Firm’s audit fieldwork encompasses multiple evidence types: documentation review, personnel inquiry, direct observation of control performance, technical inspection of system configurations, and re-performance of selected control procedures. The quality, completeness, and organization of evidence provided by the Chicago organization directly affects the efficiency of audit fieldwork and the precision of the attestation report.

Evidence Types and Collection Strategy

SOC 2 evidence collection encompasses five primary categories that the Licensed CPA Firm evaluates during fieldwork. Policy and procedure documentation establishes the formal control framework — each policy must be current, management-approved, and consistently referenced by corresponding operational procedures. System-generated artifacts — including access provisioning records, change management tickets, vulnerability scan results, and security alert logs — constitute the primary operational evidence for Type 2 testing. Personnel records, including security training completions and background check confirmations, address the people-dimension of control effectiveness.

Centralized logging infrastructure plays a foundational role in SOC 2 evidence availability. Organizations operating centralized log management systems that collect, index, and retain security events across all in-scope infrastructure can produce audit evidence more efficiently and completely than organizations relying on siloed, system-specific logs. Chicago organizations with mature centralized logging environments — collecting events from cloud platforms, on-premises systems, network devices, and application layers — are better positioned to satisfy the evidence requests of the Licensed CPA Firm conducting the SOC 2 audit without significant operational disruption.

How SOC 2 Auditors Evaluate Evidence Over Time

SOC 2 auditors conducting a Type 2 engagement do not simply verify that controls exist at the time of fieldwork. They examine operational evidence distributed across the entire audit period to determine whether controls were consistently applied throughout. For a twelve-month audit period, the Licensed CPA Firm selects evidence samples from the beginning, middle, and end of the period — evaluating whether controls operational in January remained consistently applied in June and December. Gaps in evidence, inconsistencies in control application, or periods of control absence are documented as exceptions that affect the auditor’s opinion.

Chicago organizations that maintain organized, timestamped evidence repositories throughout the audit period — rather than attempting to reconstruct evidence at fieldwork time — consistently produce more complete and efficient audit engagements. Evidence categories that auditors evaluate over time include: access review completion records distributed across the audit period, change management approvals and deployment records spanning the full period, incident response activation records and post-incident review documentation, security awareness training completion records for all in-scope personnel, and vendor assessment records demonstrating ongoing third-party monitoring rather than a single point-in-time review.

The table below summarizes the core requirements evaluated by the Licensed CPA Firm during a SOC 2 audit engagement in Chicago, organized by Trust Services Criterion. Chicago organizations pursuing SOC 2 Certification in Chicago should use this summary to assess the completeness of their control environment before audit commencement. Requirements that are not yet documented or operationally implemented will be identified as deficiencies during the audit and may result in a qualified attestation opinion or an extended audit timeline.