SOC 2 Readiness · Fractional IT Leadership
We don't sell platforms. We earn audits.
A Denver-based readiness practice for SaaS companies, 50 to 300 employees. Lean engagements. Fixed scope. Fixed price.
About the practice
How we engage
Control and Function is a Denver-based readiness and fractional IT leadership practice. We work with SaaS companies between 50 and 300 employees who are preparing for their first SOC 2 audit, a Type II renewal, or expanding into HIPAA, ISO 27001, or fractional CISO support.
Our positioning is operational, not advisory. We have run a SOC 2 Type II program end to end with no outside MSP and no compliance platform. That experience shapes every engagement we take. We know what an auditor will care about, what they will not, and where most companies waste cycles.
We are platform-neutral by design. Vanta, Drata, Secureframe, or no platform at all is the customer's call. We use AI and modern automation in our own delivery so engagements stay lean, scopes stay fixed, and the timeline holds.
Services
Pick the depth that fits your team and budget. All engagements are remote, fixed-scope, and platform-neutral.
Coaching
4 to 8 weeks · for early-stage SaaS
Your team drives the program. We provide office hours, document review, control implementation guidance, and auditor liaison support. Best when the founders want to own the work.
Most Popular
12 to 16 weeks · for Series A and Series B SaaS
We drive the program end to end. Policies, controls, evidence collection, vendor reviews, pre-audit walkthrough. Your team approves and executes. Audit firm referral included.
Embedded
16 to 24 weeks · fractional CISO
Embedded delivery. We implement controls in your environment alongside your engineers, drive incident response runbooks, and stand up access management discipline. Pairs with SOC 2 readiness or runs standalone.
Retainer
Rolling · post-audit maintenance
Keep your program ready for renewal. Change control reviews, vendor SOC 2 collection, evidence refresh, monthly security check-ins. Your team handles execution. We handle the discipline that fades after the first audit.
Engagement Timeline
Full SOC 2 Readiness engagements run on a four-phase cadence. Each phase has explicit deliverables and an end-of-phase checkpoint. No floating timeline, no scope creep.
Weeks 1 to 3
Weeks 4 to 7
Weeks 8 to 12
Weeks 13 to 16
"Audit dates are deadlines, not aspirations. We treat them that way."
Why Control and Function
Our practice was built on running a SOC 2 Type II program end to end with no outside MSP and no compliance platform. We know what an auditor will press on, what they will not, and where most companies waste cycles.
Most readiness firms are pure GRC writers who cannot configure SSO or speak to engineers in their own language. We can. That means faster engagements, fewer escalations, and a delivery cadence engineering teams actually respect.
SaaS companies serving regulated buyers usually need SOC 2 plus another framework. We run dual-framework engagements (SOC 2 + HIPAA, SOC 2 + ISO 27001) without bringing in a second firm.
Vanta, Drata, Secureframe, or no platform at all. We do not earn referral fees from compliance platform vendors. Our recommendation is based on your situation, not our economics.
We work alongside trusted CPA audit firms. Once you are ready, we hand you off cleanly for the attestation. We never perform the audit ourselves. That separation is by design.
We use AI workflows and modern automation in our own delivery. If you want AI integrated into your compliance program, we already operate that way ourselves.
Contact
A 30-minute discovery call costs nothing and clarifies whether SOC 2 readiness is the right next move for your company. No sales pressure. If we are not the right fit, we will say so and refer you to someone who is.