Modern SOC & Custom Audit Delivery.
Automate Evidence, Testing, and Reports.
Lockstep helps audit firms deliver more engagements with the same team. Reduce cycles, improve quality, and keep clients happy with AI-powered automation for SOC and custom audits.
Platform Overview
Structured like SOC. Flexible like real audits. Built to grow with your firm.
Assurance Frameworks That Match How Audits Actually Work
Lock is built around the reality that assurance work is structured—but never one-size-fits-all. Our framework engine gives firms native SOC support with the flexibility to evolve as clients, standards, and services change.
- • Native support for SOC 1 and SOC 2, aligned to AICPA structure
- • Supports Type 1 and Type 2 engagements without reconfiguration
- • Criteria, control objectives, and controls are fully traceable throughout the engagement lifecycle
- • Create custom frameworks using the same structure as SOC 1 and SOC 2
- • Reuse frameworks across clients, engagements, and audit years
- • Make updates without breaking prior-year audits or historical evidence
- • Frameworks follow the same hierarchy auditors already know: Framework → Criteria → Control Objectives → Controls
- • Minimizes training time for audit teams
- • Makes reviews, supervision, and partner sign-off faster and more consistent
- • Use the framework builder to support ISO 27001 and ISO 42001, HIPAA and HITRUST readiness, and AI governance or emerging assurance standards
- • One platform to support multiple assurance offerings as your practice grows
Why Customers Choose This
Right Access for Every Role—Nothing More, Nothing Less
Lock uses role-based permissions designed specifically for assurance engagements, ensuring teams and clients see exactly what they need while maintaining least-privilege and audit defensibility.
- • Full access to platform configuration, frameworks, engagements, reporting, and user management
- • Designed for firm leadership and system administrators who need complete visibility and control
- • Access limited to assigned engagements, controls, and requests
- • Ideal for auditors and staff who need to focus only on their responsibilities without unnecessary exposure
- • Visibility into all requests, controls, and documentation for their organization's engagements
- • Allows client leadership to manage responses, monitor progress, and maintain accountability
- • Access is restricted to only the requests assigned to them
- • Keeps client contributors focused and reduces confusion or over-sharing
Automated User Deactivation
Inactive users are automatically deactivated based on defined thresholds. Supports least-privilege access, reduces risk, and aligns with SOC and ISO access control expectations.
Designed for Repeatable, Scalable Audit Engagements
Lock engagement management is built for how audit engagements actually happen—recurring clients, evolving systems, and multi-year audits.
- • Standardize SOC 1 and SOC 2 engagements with reusable templates
- • Reduce setup time while ensuring consistency across clients and audit teams
- • Automated reminders ensure all applicable Criteria are addressed
- • Helps prevent gaps that lead to rework, delays, or review issues
- • Rollover prior engagements into new audit periods
- • Carry forward approved controls, prior requests, and historical context
- • Quickly identify what changed and what requires re-testing
Consistent Controls Without Losing Auditor Judgment
- • Import controls pre-mapped to applicable Criteria and Control Objectives
- • Ensures consistency while allowing firm-specific customization
- • Automatic control key generation with reset capabilities
- • Full visibility into control change history, including updates and revisions
- • Reuse controls across multiple engagements and system configurations
- • Eliminates duplicate work while preserving engagement-specific context
Flexible, Powerful PBC Management
- • Define statuses that match your firm's workflow and review process
- • Control visibility and edit rights at the request level for both firm and client users
- • Assign and update requests in bulk to accelerate fieldwork and reduce administrative effort
- • Quickly locate requests by engagement, control, owner, or status
- • Link a single request to multiple controls and across multiple engagements
- • Supports efficient evidence reuse without sacrificing traceability
- • Upload, manage, and review multiple evidence files per request in one centralized location
Purpose-Built for Efficient, Defensible Audit Execution
The Engagement Testing Phase brings everything auditors need into a single, structured workspace—designed to reduce friction, improve consistency, and support review-ready workpapers.
- • Perform all testing activities in one place, including control-to-criteria mapping, request management, evidence review, control creation or refinement, and formal sign-offs
- • Eliminates context switching and reduces the risk of missed steps or undocumented decisions
- • Maintain real-time traceability between Criteria, controls, testing procedures, requests, and evidence
- • Ensures every conclusion is fully supported and reviewable
- • Customize columns, views, and layouts by role, engagement, or audit phase
- • Access controls ensure staff, reviewers, and partners see only what is relevant to their responsibilities
- • System-driven reminders identify missing work, incomplete testing, outstanding evidence, or pending approvals
- • Helps teams stay on schedule and engagement-ready at all times
Complete SOC 1 and SOC 2 Reports Built Directly From Engagement Data
The reporting engine generates full SOC 1 or SOC 2 reports directly from approved engagement data, ensuring alignment between fieldwork, workpapers, and the final issued report.
Automatically generated with firm branding, client name, report type (SOC 1 or SOC 2), period covered, and report date.
Supports opinion and scope language appropriate to the engagement type. Adapts to SOC 1 or SOC 2 reporting requirements based on engagement configuration.
Captured and maintained as part of the engagement record. Ensures alignment between management representations, system description, and control coverage.
Built directly from documented system components, boundaries, and engagement context. Supports descriptions of infrastructure, software, data, procedures, people, and subservice organizations.
Automatically populated based on engagement type and scope. For SOC 1, includes control objectives aligned to the description of the system. For SOC 2, includes applicable Trust Services Criteria.
Controls are pulled directly from the approved control library used during testing. Maintains consistency between control design, testing, and reporting.
Supports presentation of test procedures and results as required by the engagement type. Maintains direct traceability to executed testing steps, evidence, and sign-offs.
Compiled directly from completed testing, reviewer sign-offs, and conclusions. Includes controls tested, testing approach, results, and auditor conclusions.
Built for Review, Approval, and Issuance
All report sections are generated from reviewed and approved engagement data. Supports internal review workflows, supervisory sign-off, and consistent issuance standards across SOC 1 and SOC 2 engagements.
Benefits
Complete SOC audits faster with automated evidence collection, testing, and reporting. Get clients to close sooner.
Deliver consistent, high-quality work. Clients appreciate faster turnarounds and clear communication.
Increase capacity without adding headcount. Focus senior time on review and client relationships.
Standardize procedures and documentation across teams. Reduce review cycles and improve defensibility.
Path AI guides your audit team
Path AI learns your firm's methodology and helps auditors take the next right step. It drafts test procedures, summarizes evidence, identifies gaps, and generates workpapers—all while keeping your team in control.
- • Tailored to your firm's SOC and custom audit methodology
- • Reduces manual documentation work
- • Captures reasoning for reviewer approval
- • Consistent guidance across all engagements
For Control 2.4 (Access Reviews), the client uploaded Q3 and Q4 access review logs but Q1 and Q2 are missing. Draft a request for the client contact and flag this as a testing gap.
Audit types we support
FAQs
Yes. You can use our prebuilt SOC 2 programs or customize them to match your firm's approach. Custom audit frameworks are fully supported.
No. Path AI assists your team by drafting procedures, summarizing evidence, and identifying gaps. Your auditors stay in control and approve all work.
Lockstep automatically identifies prior-year evidence and suggests which items can be rolled forward for the current engagement, saving time on evidence collection.
Yes. All workpapers, reports, and documentation can be exported in standard formats for your files or client delivery.
Deliver more audits. Faster and better.
See how leading audit firms use Lockstep to increase capacity and improve quality.