Risk Advisory

SOC & HITRUST Solutions

SOC Readiness Assessments
SOC 1 Type 1, SOC 1 Type 2, SOC 2 Type 1, SOC 2 Type 2, and SOC 3 Examinations
HITRUST Readiness Assessments, Risk-Based Assessments, and Interim Assessments

Get peace of mind about your controls with SOC Reports and HITRUST Certifications.

The ability to respond to customers’ requests efficiently and effectively on the controls in place when your company provides services to other companies has become paramount in today’s environment. There are multiple solutions to respond to these types of requests, but we believe SOC reporting has become the most widely accepted report on controls at subservice organizations, as these reports provide a value proposition that differentiates your organization from your competition. Additionally, within the healthcare industry, HITRUST has become the best-in-class certification to highlight an organization’s strategic focus on information security and privacy.

Whether your company is preparing its first System and Organization Controls (SOC) report, HITRUST assessment, or you have concerns that your existing information security program isn't satisfying your users’ needs, FORVIS’ National SOC and HITRUST Team is here to assist you. Users expect assurances in today's outsourced, remote business environment, and boilerplate reports are no longer acceptable given the risks associated with third-party risk management. Our dedicated team of experienced advisors has been helping service organizations refine their processes, enhance controls, and address various types of third-party assurance requests for more than 15 years.

SOC Services

Helping assess and report on the design and operating effectiveness of internal controls.

FORVIS’ dedicated National SOC and HITRUST Team provides SOC Readiness Assessments and SOC 1 Type 1, SOC 1 Type 2, SOC 2 Type 1, SOC 2 Type 2, and SOC 3 examinations to help organizations assess and report on the design and operating effectiveness of their internal controls. We can also assist with SOC for Cybersecurity, a voluntary reporting framework that can help communicate relevant information about a company’s risk management program and its effectiveness, as well as SOC for Supply Chain, which, similar to SOC for Cybersecurity, is a market-driven, voluntary reporting framework to communicate information related to the organization’s supply chain risk management efforts, which assesses the effectiveness of system controls to mitigate those risks.

Performing a SOC examination of a third-party service provider includes the following benefits:

  • Delivers service providers' users with information on the internal control environment, including the operating effectiveness of controls affecting the users’ internal controls over financial reporting;
  • Addresses a service provider’s users’ need to understand the internal controls at the service provider related to security, availability, processing integrity, confidentiality, and/or privacy;
  • Aids the service providers’ users’ financial statement auditors to determine reliance on controls in place at the service provider;
  • Eliminates the need for multiple customers to perform on-site audits;
  • Satisfies a requirement by many companies that an audit of internal controls be in place at their service provider;
  • Indicates to potential customers a service provider’s commitment to internal controls and transaction processing integrity;
  • Identifies improvement opportunities in operational areas at the service provider; and
  • Provides an additional marketing opportunity and competitive advantage over other service providers.

HITRUST Solutions

Many healthcare clients are being required by partners, consumers, and other businesses to prove the security around the Protected Health Information (PHI) they receive, store, and use. HITRUST provides industry standardization to evaluate healthcare organizations and the security of their PHI.

As with all projects, HITRUST implementations and certifications have a defined beginning and end. Establishing a comprehensive project plan facilitates a successful HITRUST project. FORVIS’ assessors work closely with organizations to define a project plan divided into three critical phases: Readiness, Implementation, and Reporting. By dividing the HITRUST project into manageable phases, stakeholders are able to address the task at hand while also focusing on and maintaining daily operations. Our assessors establish touchpoints with stakeholders to monitor project progress. These touchpoints help ensure stakeholder’s progress throughout the project while allowing FORVIS the opportunity to provide experienced insight. HITRUST implementations can be challenging; however, with a comprehensive project plan, organizations can efficiently and effectively meet their compliance objectives. Our HITRUST Readiness Assessment Services are designed to help management identify the appropriate HITRUST assessment for the business and prepare the company for its HITRUST validation. FORVIS’ team members can even provide training, education, samples, and guidance to assist management in understanding the basis of the HITRUST report and the expectations for management when moving into the actual assessment work.

FORVIS offers various HITRUST solutions to help meet your organization’s needs:

  • HITRUST Essentials, 1-year (e1) Assessment – This assessment focuses on entry-level assurance for the most critical cybersecurity controls and also verifies that cybersecurity protocols are in place.
  • HITRUST Implemented, 1-year (i1) Assessment – This assessment offers a moderate level of cybersecurity assurance focusing on the most current practices and broad-range active cyber threats compared to the e1 assessment.
  • HITRUST Readiness Assessment – This assessment is designed to help evaluate how closely an organization’s control environment aligns to the HITRUST CSF. We provide Readiness Assessments to support i1 and r2 assessments.
  • HITRUST Risk-Based, 2-year (r2) Assessment – This assessment will result in the issuance of two reports: the HITRUST CSF Validated Assessment Report and the NIST Cybersecurity Framework Report. A letter of either validation or certification also will be issued, based on the assessment’s scoring.
  • HITRUST Interim Assessment – This assessment is required to maintain certified reports and must be submitted no later than the one-year anniversary date of the original certification.

Trusted Advisor

FORVIS has a nationally-dedicated SOC and HITRUST practice, with team members exclusively working on these types of engagements and serving clients throughout the U.S. within various industries including technology, healthcare, insurance, financial services, supply chain logistics, REIT and property management, and many others.

Let's Connect

Subscribe to our content or get in touch with us today

Subscribe Contact Us