Sage Audits

About Sage Audits

Sage Audits LLP is a Colorado-based CPA firm founded in 2024, focused exclusively on IT audit and SOC assurance. The firm exists to solve a specific problem: most CPA firms doing SOC audits are too rigid, too generic, and less collaborative than technology companies need — with layers of governance that slow down common-sense decisions and big teams that miss the details that matter.

The Sage Audits answer is a boutique practice where both partners hold KPMG backgrounds and are directly involved in every engagement, from scoping through report delivery.

The Team: Both Partners, KPMG-Trained

Jordan Novak, Managing Partner (CPA, CISSP, CISA, CRISC, CISM, CITP)

17+ years of experience spanning a rare combination: Big Four external audit, then in-house ownership of SOC compliance at a financial services firm.

• KPMG US Denver — IT Audit & Attestation (2015–2017): Conducted SOC 1, SOC 2, and SOX 404 IT general controls testing across Windows, UNIX, and mainframe environments. Applied COBIT, NIST 800-53, FISMA, and FISCAM frameworks across government, private, and public company clients.
• Phoenix Financial Services — Senior Security Analyst (2017–2021): Took the other side of the table — in-house owner of SOC reports, incident management, patch and change management, vendor risk, and business continuity for a financial services firm.
• Developer background: Before moving into audit, Jordan spent six years as a full-stack web developer, giving him genuine technical fluency in the environments he now audits.

Tasya Novak, Managing Director (CISA)

13+ years of IT audit experience, entirely at KPMG US. Tasya brings the depth of a seasoned Big Four IT auditor with direct involvement in every engagement alongside Jordan.

Together: 30+ years of combined IT audit experience across all three sectors — government, private, and public companies.

The “Both Sides of the Table” Perspective

Most auditors have only ever been on one side. Jordan’s background is genuinely uncommon in the boutique SOC space: he’s been the external auditor conducting the assessment and the in-house compliance owner preparing for it, managing client audit requests, and living inside the control environment year-round.

This shapes how Sage Audits approaches engagements — scoping that reflects how your business actually operates, not generic control matrices, and feedback that’s informed by what it takes to remediate findings in the real world.

What “Partner-Led” Actually Means Here

At larger firms, “partner-led” often means a partner signs the report while junior staff run the engagement. At Sage Audits:

• Both partners are directly involved in planning, fieldwork, and delivery
• The person scoping your audit is the same person testing your controls
• No account manager layer between you and the auditor
• Direct communication throughout — not status updates filtered through a team hierarchy
• Evidence managed through a dedicated SharePoint-based client hub: organized, centralized, no spreadsheet chaos

Services

SOC Reporting:

• SOC 1 (SSAE 18) — for service organizations with financial reporting impact
• SOC 2 Type I — point-in-time design assessment
• SOC 2 Type II — 3–12-month operating effectiveness
• SOC 3 — public-facing summary reports
• SOC Gap Assessment & Readiness — identify and close gaps before the audit clock starts

IT Consulting:

• Risk & Control Assessments
• SOX Co-Sourcing / ICFR 404 compliance
• Internal IT Audit Co-sourcing
• IT Audit Automation
• IT Governance Policy & Procedure Development

IT Advisory:

• IT Control Gap Assessments
• Business Continuity Management Planning
• IT Governance Policy & Procedure Review

Who Should Choose Sage Audits

Best Fit For:

• First-time SOC 2 companies that want a partner who explains the process rather than just executing a checklist
• Early-stage to mid-market SaaS and cloud-native companies needing a fast, streamlined Type I or Type II without large-firm overhead
• Technology companies that want an auditor with genuine technical depth — someone who understands the systems being audited, not just the framework
• Teams that value direct access — no junior-staff intermediaries, no layers between you and the people doing the work

Not Ideal For:

• Large enterprises requiring a globally recognized brand name on the report
• Organizations needing HITRUST, FedRAMP, PCI DSS, or multi-framework consolidated audits
• Companies needing physical presence outside the Denver, Colorado area

Credentials

Partner	Credentials
Jordan Novak	CPA, CISSP, CISA, CRISC, CISM, CITP
Tasya Novak	CISA

AICPA Member Firm · Colorado CPA Firm License: FRM.5000785 · Subject to AICPA peer review

Pricing & Timeline

Estimated Pricing:

• SOC 2 Type I: $15,000 – $40,000
• SOC 2 Type II: $20,000 – $50,000

An interactive pricing calculator is available on their website for a scoped estimate based on your organization’s size and complexity.

Timeline:

• Type I: 4–8 weeks from kickoff to report delivery
• Type II Observation Period: 3–12 months (client choice)
• Total Type II: 4–14 months depending on observation window

Bottom Line

Sage Audits is built for companies that want a real partner in their SOC compliance, not a large firm processing them through a compliance assembly line. The combination of two KPMG-trained partners — one with in-house SOC ownership experience, one with a decade of pure IT audit depth — gives the firm a perspective most boutiques simply don’t have.

For early-stage SaaS companies that want senior-level involvement, direct communication, and an auditor who understands their actual environment, Sage Audits is worth a serious look.