Which SOC report do you need?
Answer five quick questions to get a clear recommendation. Then see what the engagement process looks like from start to finish.
SOC 1 vs. SOC 2 quiz
Question 1 of 5
Does your service process, store, or transmit data that appears on your clients' financial statements?
This is the threshold question. SSAE 18 applies when a service organization's controls could affect what clients report on their financial statements.
Get your personalized summary
We'll email you a tailored action plan based on your answers, plus what to prepare before a scoping call.
Summary sent. Check your inbox shortly.
Your next three steps
-
1
Understand what the audit covers
Review what a SOC 1 report contains and how Type 1 vs. Type 2 affects your timeline and cost.
Read the guide -
2
Check your control readiness
The 2026 checklist covers the five control areas most commonly tested. Know where you stand before the call.
Get the checklist -
3
Book your 15-minute scoping call
A quick call confirms your scope, timeline, and cost range. No sales pressure, no obligation to engage.
Schedule now
Curious about cost first? The pricing calculator gives you an estimate in about two minutes.
Prefer to read instead? SOC 1 vs SOC 2 on the Sage Audits blog
What the engagement looks like
From first call to final report, here's the typical SOC 1 engagement process at Sage Audits.
Discovery and scoping
1–2 weeksWe learn about your business, identify the services in scope, and define the control objectives relevant to your clients' financial reporting. This is also where we discuss whether a Type 1 or Type 2 makes more sense for your situation.
Readiness assessment
2–4 weeks, optionalA gap analysis to identify control weaknesses before the formal examination begins. Optional, but it often saves time and prevents surprises. You get a clear picture of what needs to be in place before testing starts.
Examination
Varies by scopeWe test your controls against the defined objectives. For a Type 2, this covers an observation period of typically 6 to 12 months, with phased testing across the period instead of a year-end evidence dump.
Report delivery
2–4 weeks after fieldworkWe issue a clear, professionally written SOC 1 report that you can share with clients and their auditors. The report includes the auditor's opinion, system description, control objectives, and test results (for Type 2).
Ongoing support
AnnualSOC 1 audits are annual. We help you prepare for the next cycle and address any findings from the current report. Continuity with the same auditor makes each subsequent year faster.