FREQUENTLY ASKED QUESTIONS

We have put together all the information you need to answer your questions about SOC Reporting, including what they are, what they do, and what it takes to get them done. We also help you figure out where to start when choosing a partner to help issue your report.

Questions We’re Frequently Asked About SOC Reports

Maloney + Novotny offers depth of experience when it comes to writing and issuing SOC Reports, from both sides of the desk. Many of our auditors bring previous experience from other industries, including information security and third-party vendors, which makes them especially well equipped to understand our client’s concerns. Here is a sampling of the common questions we receive about SOC reports, the reporting process, and our perspectives on making the process easier.

A:Completing a SOC report within a year is absolutely possible, even for smaller organizations. Choosing the right partner, with experience and the ability to help you determine your needs is key in getting this accomplished. Maloney + Novotny offers a staff of seasoned auditors who are willing to offer a more personalized approach. We understand how to help clients through the process, using standardized checklists that can smooth out the assessment process, clarify expectations, and get you through the audit faster. Our processes make it easier for you to complete the process and to maintain your SOC status over time.

A: One of the biggest benefits of securing a SOC report, besides meeting your customers’ expectations, is that going through the process is likely going to improve your operations. And that could mean higher profitability and increased business for you. In fact, one of our biggest Commented [14]: link to contact form/page goals within the SOC Reporting process is help you to become a better organization through improved operations and systems. Our Readiness Assessments will show you where your operations lead the industry, and where there may be discrepancies and oversights to address. Having this vital information can prompt you to make changes that your customers will value and ultimately reward. In addition, going through the process undoubtedly raises your appeal in the eyes of prospective customers.

A: The entire reporting process can often be completed in less than a year, depending on the organization’s maturity level, familiarity with the processes, and need to make changes before auditing begins. The first stage, or Readiness Assessment, usually takes two to three months. There may be a few months time after the assessment is completed to correct deficiencies, at which point the Type 1 and Type 2 reports can be completed, usually within three months. HITRUST reports can take a few months longer, based on the extent of criteria involved and the need to submit audits to HITRUST so the certification can be issued.

A: We think companies should look for experienced auditors with established processes and at the same time, willing to offer the personalized experience that can make the process far easier. Organizations like Maloney + Novotny pride ourselves on being nationally run with local talent. We strive to pay closer attention to our customers’ needs and your specific customers’ expectations, rather than recommending broad-brushed reporting and audits that could be more extensive and invasive than necessary. Part of our personalized approach involves truly understanding what your customers are asking from you, so that you can provide the most efficient solution with the least disruption to your operations.

A: There are many cases where customers ask for one thing, but need something else, which can be more or less extensive than they initially thought. So companies receiving flat-rate quotations for SOC reports should consider these offers very carefully. In many cases, flat-rate quotes are followed by requests for ancillary services recommended along the way, driving the costs and time commitment above initial expectations. At Maloney + Novotny, investment levels are generally determined after conducting the Readiness Assessment, to confirm the extent of the audit and which criteria need to be assessed.