AICPA · ICPAS — Accepting engagements

We keep watch.
You keep building.

SOC reports, ISO readiness, and an ongoing compliance program for founders who'd rather be shipping. Scoped for traction, priced for reality, and staffed by the CPAs who sign the report.

The Control Quiz

Think you know your Trust Services Criteria?

Drag each activity to the TSC it governs. Your score tells us which engagement makes sense for where you are now. No shame in any result.

Real behaviors from actual SOC 2 engagements.
Drag each one to the Trust Service Category that governs it.

Correct Picks : 0 / 11

Security incident response plan tested annually

Access reviews run every 90 days on cloud infrastructure

Multi-region failover tested before each renewal

MFA enforced for all employees on production systems

Users can export and delete their personal data on request

Daily backups of customer databases, tested quarterly

NDAs required for all vendors handling customer contracts

Financial transactions reconciled daily against source systems

Privacy notice updated when new data types are collected

Confidential data fields encrypted and access-logged

Input validation on all API endpoints with schema enforcement

Security

Common Criteria. Baseline for every engagement. Access, encryption, incident response.

Availability

Uptime SLAs, DR, backups. The "your system is up when customers need it" category.

Confidentiality

Data classified as confidential. NDAs, contractual data, B2B customer data handling.

Processing Integrity

System does what it's supposed to correctly and on time. Input validation, completeness reconciliation.

Privacy

Personal information specifically. Consent, notice, data subject rights. Overlaps with GDPR/CCPA but is a distinct TSC.

OUR SERVICES

No templates. No guesswork.
Just compliance that works.

End-to-end compliance services tailored for fast-scaling companies preparing for enterprise security and audit requirements.

Attest Services - SOC 1 and SOC 2

Independent attestation signed by a licensed CPA. SOC 1 for service organizations affecting client financial reporting. SOC 2 for organizations handling customer data. Type I and Type II both offered.

Internal Audit - ISO 27001, 27701, and 42001

Readiness assessments and internal audit support for information security (27001), privacy (27701), and AI management (42001). External certification is issued separately by an accredited certification body.

GRC-as-a-Service

A recurring advisory program that runs your compliance operation between audits. Policies maintained, vendors assessed, GRC tool managed, customer security questionnaires answered on time.

Not sure where to start?

Most founders aren't sure which engagement fits where they are. Book a 30-minute scoping call and we'll tell you. If the answer is wait until next quarter, that's what we'll say.

Book scoping call

FAQ

Everything
founders ask us
first.

Have questions about our work or services? This FAQ section covers common queries.

SOC 2 is for companies whose customers care about security, availability, and confidentiality; most B2B software and services. SOC 1 is for companies whose systems affect their customers' financial reporting: fintechs, payroll, billing platforms. Some companies need both. We'll tell you which after a 30-minute call.

A typical Type II audit covers a 3-12 month review period. The actual audit process takes about 4-6 weeks after the observation period ends.

Yes. We work in whatever you already use: Drata, Vanta, Klaay, ComplyJet, a Notion database, a Monday board, or one well-loved Excel file. Not every team needs a six-figure GRC platform to pass an audit. We meet you where you are.

Every engagement is led and executed by experienced senior auditors. You won't be passed off to junior staff who are learning on your time.

Attest (SOC 1, SOC 2) is for when a customer asks for a signed report. Internal audit (ISO 27001, 27701, 42001) is for when you're pursuing external certification. GRC-as-a-Service is for when you need an ongoing compliance function but don't have the headcount to staff one. Not sure? Take the control quiz, or book a call and we'll point you to the right starting point..

No, and that separation is deliberate. Independence rules require that the firm managing a compliance program isn't the firm auditing it. If we run your GRC-as-a-Service, we refer your attest work to a partner audit firm. That independence is what sophisticated enterprise buyers expect to see.

No. We perform readiness and internal audit work. The certification itself is issued by an accredited external body that runs its own audit. We prepare you so that the audit goes smoothly, and refer you to certification bodies when you're ready.

Ready to close that security questionnaire and get back to building?

Get in touch now

Tell us what your customers are asking for and where you are now. We will tell you what you actually need, and what you don't.

Write Email

hello@vigilassurance.com

We keep watch. You keep building.