Attest Services
Independent attestation,
signed by a licensed CPA.
Vigil Assurance delivers SOC 1 and SOC 2 attestation reports for small teams companies. From scoping through signed report, a licensed CPA runs the engagement end to end. Your enterprise customers get the deliverable they expect.
WHAT WE AUDIT
Two Attestation Reports
SOC 1
For service organizations whose systems affect their clients' financial statements. Common for payroll processors, billing platforms, and payment systems. Control objectives are defined jointly during scoping.
AT-C 320 · Type I or Type IISOC 2
For service organizations handling customer data. Built on the AICPA Trust Services Criteria. Security is the required category; Availability, Confidentiality, Processing Integrity, and Privacy are added based on commitments made to customers.
AT-C 205 · Type I or Type IIType I evaluates whether controls are suitably designed as of a point in time. Faster to complete, useful for first-year reporting or early customer conversations. Type II evaluates whether controls operated effectively across a defined period, typically three to twelve months. Type II is the standard for ongoing enterprise procurement.
PRICING
SOC 2 Type I
$7,000 to $10,000
· by TSC scopeFor first-year reporting or early enterprise conversations. Faster to complete, point-in-time evaluation.
SOC 2 Type II
$10,000 to $15,000
· by TSC scopeThe standard for ongoing enterprise procurement. Three to twelve month observation period.
SOC 1
Priced on scoping call
For systems that affect customers' financial reporting. Payroll, billing, and payment platforms.
Disclaimer: Published prices reflect standard tier scope. Final pricing is confirmed during the scoping call based on actual scope, framework set, and tooling environment.
Onboarding timeline
Phase 1: Scoping (week 1)
60-minute scoping call. We map your product to the applicable Trust Services Criteria, confirm Type I or Type II, and set the audit boundary. Once scope is confirmed, the evidence request list goes out and the audit clock starts.
Phase 2: Foundation (weeks 2 to 4)
Control walkthroughs with your team. Your team begins uploading evidence against the request list in parallel. We confirm the controls in scope, flag any design gaps that should be addressed before testing, and finalize the audit plan.
Phase 3: Evidence and testing (weeks 3 to 6)
The bulk of evidence collection and control testing happens here. We work inside the tools you already use, with one weekly check-in and async work between. For Type II engagements, evidence is sampled across the observation period.
Phase 4: Reporting (weeks 7 to 8)
Draft report for management review. Findings discussed before finalization. Signed SOC report delivered, ready to share with enterprise buyers the day it's issued.
Disclaimer: Typical engagement timeline for SOC 2 Type I. SOC 2 Type II adds a three to twelve month observation period before fieldwork begins. SOC 1 timelines are confirmed during scoping. We commit to a specific timeline in the engagement letter once scoping is complete.
Why Vigil for attest
Licensed CPA, Peer review enrolled
Your attestation is signed by a licensed CPA. Vigil is enrolled in the AICPA Peer Review Program as required.
Deep cloud and SaaS experience
Engagement leadership, fieldwork, and report authoring all happen in North America, from scoping through signature.
Independence preserved
We know how Terraform, CI/CD, SSO, and managed services actually work. No demands for evidence that does not exist in a cloud-native environment.
100% US-based team
We do not audit our own GRC-as-a-Service clients. If you hold a separate advisory engagement, we refer attest work to a partner firm.
Working Together
A 30-minute scoping call is the right place to start.
If we're a good fit, we'll send a proposal within 48 hours.
If we're not, we'll tell you who is.
Get in touch now
Tell us what your customers are asking for and where you are now. We will tell you what you actually need, and what you don't.
Write Email