SOC & HITRUST Solutions

Help assess and report on the design and operating effectiveness of internal controls.

SOC reporting has become the most widely accepted report on controls at subservice organizations, providing a value proposition that differentiates your organization from your competition.

We provide the following SOC examinations to help organizations assess and report on the design and operating effectiveness of their internal controls:

• SOC Readiness Assessments
• SOC 1, Type 1
• SOC 1, Type 2
• SOC 2, Type 1
• SOC 2, Type 2
• SOC 3
• SOC for Cybersecurity
• SOC for Supply Chain

Performing a SOC examination of a third-party service provider can help:

• Deliver service providers' users with information on the internal control environment, including the operating effectiveness of controls affecting the users’ internal controls over financial reporting
• Address a service provider’s users’ need to understand the internal controls at the service provider related to security, availability, processing integrity, confidentiality, and/or privacy
• Aid the service provider’s users’ financial statement auditors to determine reliance on controls in place at the service provider
• Eliminate the need for multiple customers to perform onsite audits
• Satisfy a requirement by many companies that an audit of internal controls be in place at their service provider
• Indicate to potential customers a service provider’s commitment to internal controls and transaction processing integrity
• Identify improvement opportunities in operational areas at the service provider
• Provide an additional marketing opportunity and competitive advantage over other service providers

Many clients serving the healthcare industry are required by partners, consumers, and other businesses to prove the security around the Protected Health Information (PHI) they receive, store, and use.

In healthcare, HITRUST is the best-in-class certification to highlight an organization’s strategic focus on information security and privacy.

Forvis Mazars offers various HITRUST services to help meet your organization’s needs:

• HITRUST Essentials, 1-year (e1) Assessment: This assessment focuses on entry-level assurance for the most critical cybersecurity controls and verifies that cybersecurity protocols are in place.
• HITRUST Implemented, 1-year (i1) Assessment: This assessment offers a moderate level of cybersecurity assurance focusing on the most current practices and broad-range active cyber threats compared to the e1 assessment.
• HITRUST Readiness Assessment: This assessment helps evaluate how closely an organization’s control environment aligns with the HITRUST CSF. We provide Readiness Assessments to support i1 and r2 assessments. Our HITRUST Readiness Assessment Services help management identify the appropriate HITRUST assessment for the business and prepare the company for its HITRUST validation. Our team can provide training, education, samples, and guidance to help management understand the basis of the HITRUST report and the expectations when moving into the actual assessment work.
• HITRUST Risk-Based, 2-year (r2) Assessment: This assessment results in two reports: the HITRUST CSF Validated Assessment Report and the NIST Cybersecurity Framework Report.

A letter of either validation or certification is also issued, based on the assessment’s scoring.

• HITRUST Interim Assessment: This assessment is required to maintain certified reports and must be submitted no later than the one-year anniversary of the original certification.

HITRUST provides industry standardization to evaluate healthcare organizations and the security of their PHI.

HITRUST implementations can be challenging. Our assessors work closely with you to define a project plan divided into three critical phases: readiness, implementation, and reporting. Establishing a detailed project plan successfully assists organizations in efficiently meeting their compliance objectives.

By dividing the project into manageable phases, stakeholders can address the task at hand while also focusing on and maintaining daily operations. Touchpoints and communication throughout the process give opportunities for stakeholders and our professionals to make sure the project is moving along smoothly.