Get peace of mind about your controls with SOC Reports, ISO Certifications, and HITRUST Certifications.
The ability to respond to clients’ requests efficiently and effectively on the controls in place when your company provides services to other companies has become paramount in today’s environment. There are multiple solutions to respond to these types of requests, but we believe SOC reporting has become the most widely accepted report on controls at subservice organizations, as these reports provide a value proposition that differentiates your organization from your competition. Additionally, within the healthcare industry, HITRUST has become the best-in-class certification to highlight an organization’s strategic focus on information security and privacy, and on the international level, ISO 27001 is a globally-recognized information security certification which helps evidence a company’s commitment to security and privacy standards.
Whether your company is preparing its first System and Organization Controls (SOC) report, HITRUST assessment, ISO certification, or you have concerns that your existing information security program isn't satisfying your users’ needs, FORVIS’ National SOC and HITRUST Team is here to assist you. Users expect assurances in today's outsourced, remote business environment, and boilerplate reports are no longer acceptable given the risks associated with third-party risk management. Our dedicated team of experienced advisors have been helping service organizations refine their processes, enhance controls, and address various types of third-party assurance requests for more than 15 years.
SOC Services
Helping assess and report on the design and operating effectiveness of internal controls.
FORVIS’ dedicated National SOC and HITRUST Team provides SOC Readiness Assessments and SOC 1 Type 1, SOC 1 Type 2, SOC 2 Type 1, SOC 2 Type 2, and SOC 3 examinations to help organizations assess and report on the design and operating effectiveness of their internal controls. We can also assist with SOC for Cybersecurity, a voluntary reporting framework that can help communicate relevant information about a company’s risk management program and its effectiveness, as well as SOC for Supply Chain, which, similar to SOC for Cybersecurity, is a market-driven, voluntary reporting framework to communicate information related to the organization’s supply chain risk management efforts which assesses the effectiveness of system controls to mitigate those risks.
Performing a SOC examination of a third-party service provider includes the following benefits:
- Delivers service providers' users with information on the internal control environment, including the operating effectiveness of controls affecting the users’ internal controls over financial reporting;
- Addresses a service provider’s users’ need to understand the internal controls at the service provider related to security, availability, processing integrity, confidentiality, and/or privacy;
- Aids the service providers’ users’ financial statement auditors to determine reliance on controls in place at the service provider;
- Eliminates the need for multiple customers to perform onsite audits;
- Satisfies a requirement by many companies that an audit of internal controls be in place at their service provider;
- Indicates to potential customers a service provider’s commitment to internal controls and transaction processing integrity;
- Identifies improvement opportunities in operational areas at the service provider; and
- Provides an additional marketing opportunity and competitive advantage over other service providers.
HITRUST Solutions
Many healthcare clients are being required by partners, consumers, and other businesses to prove the security around the Protected Health Information (PHI) they receive, store, and use. HITRUST provides industry standardization to evaluate healthcare organizations and the security of their PHI.
As with all projects, HITRUST implementations and certifications have a defined beginning and end. Establishing a comprehensive project plan facilitates a successful HITRUST project. FORVIS’ assessors work closely with organizations to define a project plan divided into three critical phases: Readiness, Implementation, and Reporting. By dividing the HITRUST project into manageable phases, stakeholders are able to address the task at hand while also focusing on and maintaining daily operations. Our assessors establish touchpoints with stakeholders to monitor project progress. These touchpoints help ensure stakeholder’s progress throughout the project while allowing FORVIS the opportunity to provide experienced insight. HITRUST implementations can be challenging; however, with a comprehensive project plan, organizations can efficiently and effectively meet their compliance objectives. Our HITRUST Readiness Assessment Services are designed to help management identify the appropriate HITRUST assessment for the business and prepare the company for its HITRUST validation. FORVIS’ team members can even provide training, education, samples, and guidance to assist management in understanding the basis of the HITRUST report and the expectations for management when moving into the actual assessment work.
FORVIS offers various HITRUST solutions to help meet your organization’s needs:
- HITRUST Self-Assessment – The HITRUST bC Assessment is a verified good hygiene information security self-assessment which offers a current state assessment of an organization’s compliance with HITRUST.
- HITRUST Readiness Assessment – This assessment is designed to help evaluate how closely an organization’s control environment aligns to the HITRUST CSF. We provide Readiness Assessments to support i1 and r2 assessments.
- HITRUST Validated Assessment – This assessment will result in the issuance of two reports: the HITRUST CSF Validated Assessment Report and the NIST Cybersecurity Framework Report. A letter of either validation or certification also will be issued, based on the assessment’s scoring.
- HITRUST Interim Assessment – This assessment is required to maintain certified reports and must be submitted no later than the one-year anniversary date of the original certification.
International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27001 Solutions
Helping prepare for an ISO 27001 Certification and providing guidance on performing Stage 1 and Stage 2 audits.
Those organizations operating at an international scale are faced with a unique challenge associated with information security and privacy assurance. Our team of Lead Auditors is well positioned to support you with understanding the process to prepare for an ISO 27001 Certification as well as to perform Stage 1 and Stage 2 audits. ISO/IEC 27001 and ISO/IEC 27002 are the main ISO standards that provide organizations with the opportunity to enhance their information security. ISO/IEC 27001 is primarily a framework to assist organizations in managing information security, while ISO/IEC 27002 specifies implementation guidance for information security controls specified within ISO/IEC 27001. FORVIS’ team members are ready to support you with preparing for and pursuing an ISO 27001 Certification.
FORVIS offers various ISO 27001 solutions to help meet your organization’s needs:
- ISO 27001/27002 Readiness Assessment – The ISO 27001 Readiness Assessment is designed to support organizations in evaluating the statement of applicability and potential nonconformities associated with an ISO 27001 Certification.
- ISO 27001 Internal Audit Services – A key component of ISO 27001 readiness and compliance is the maintenance of an internal control monitoring function. Our Lead Auditors’ knowledge and experience of ISO 27001 allows them to support your organization efficiently and effectively with the internal audit requirement.
- ISO 27001 Certification – Performing Stage 1 and Stage 2 audits results in the submission of the recommendation for certification to one of FORVIS’ Certification Bodies partners.
Trusted Partner
FORVIS has a nationally-dedicated SOC and HITRUST practice, with team members exclusively working on these types of engagements and serving clients throughout the U.S. within various industries including technology, healthcare, insurance, financial services, supply chain logistics, REIT and property management, and many others.