Welcome to MJD Advisors
Your Opportunity for a Smooth Security and Compliance Experience
Don't let compliance interrupt optimal business performance. Our clients look to us to reduce complexity, stress and uncertainty through the use of technology, collaboration and project management.
SOC Examinations
System and Organization Controls (SOC) reports are a crucial tool to build trust and credibility with your stakeholders and expedite your sales process. If it's not a requirement of your business today, it will likely be in the future, but when delivered correctly the process will add considerable value to your organization.
SOC FOR SERVICE ORGANIZATIONS
Prove to stakeholders the internal controls you have in place surrounding financial reporting, security, availability, processing integrity, confidentiality, and privacy meet their needs.
SOC 1 | Internal controls over financial reporting |
SOC 2 | Trust Services Criteria |
SOC 3 | General use report on Trust Services Criteria |
SOC Examinations
System and Organization Controls (SOC) reports are a crucial tool to build trust and credibility with your stakeholders and expedite your sales process. If it's not a requirement of your business today, it will likely be in the future, but when delivered correctly the process will add considerable value to your organization.
SOC FOR CYBERSECURITY
Give your stakeholders peace of mind in today’s world of cybersecurity attacks by reporting on your internal cybersecurity risk management program.
SOC Examinations
System and Organization Controls (SOC) reports are a crucial tool to build trust and credibility with your stakeholders and expedite your sales process. If it's not a requirement of your business today, it will likely be in the future, but when delivered correctly the process will add considerable value to your organization.
SOC FOR SUPPLY CHAIN
Communicate to stakeholders about your supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks.
Advisory & Other Services
In addition to SOC Reporting we offer additional services related to your information security program. We take care in assessing the risk factors of your organization and assure you remain compliant, so you can focus on growing your business.
- Internal Audit
- Healthcare Compliance
- Privacy Assessment
- Compliance Readiness and Gap Remediation
- Risk Assessment
- 3rd Party Due Diligence
Our Process
Our firm was digitally founded and our team is system focused. We leverage templates for scale, but with adequate flexibility to meet the individual needs of each client that leverages our clients favorite tools and technology. You can expect a unique engagement experience and we like to work in an agile environment, but here are the standard phases you will see on a compliance project.
Prepare
We perform a full review of your current security program documents and customer commitments and create a Slack channel for collaboration and document sharing.
Build
We prepare a customized service guide in Notion used to align expectations, collect evidence and deliver a real-time picture of status and what to expect next.
Understand-Observe-Align
We meet with your team over a series of teleconferences to learn about what makes you special, observe certain key aspects of the system and align on the project blueprints.
Launch Scope Period
There is no candle lighting ceremony or fireworks (at least not yet). The scope period beings when management feels comfortable with the controls in place.
System Testing
It is a compliance service - so there needs to be selections and evidence collection. We believe our investment in planning, alignment and collaboration makes for a seamless and painless process. We love to hear how surprised you are by the simplicity of the actual examination, because that means you were adequately prepared.
Retrospective
Right before we finish the project we like to hear how things went and prepare for the next scope period.
Issue Report
We wrap-up testing, obtain approvals and celebrate.
Your Report
We have a fully integrated process, so the report is in preparation throughout the engagement and provided to you in a shared Google Doc in the early stages of the project. We ask you to own the product, provide feedback, and make sure it reads as your voice, but we are willing to handle most of the heavy lifting to make your life easier.
Industries We Serve
No company is too large, or too small. We focus on people more than industries but aim to serve those who are generally cloud first and share our passion for innovation and collaboration.
Financial Services
Healthcare
Banking
Insurance
Real Estate
Blockchain & Cryptocurrency
Artificial Intelligence
Big Data & Analytics
Cybersecurity
Project Management
About Us
What Makes Us Special
Innovation with Purpose
System Built
Customer Focused
Speed and Agility
Digitally Founded
Decision Driven
FAQ
What are the minimum requirements for SOC 2 compliance?
The short answer - there is no minimum or prescribed requirements for SOC 2. The AICPA has designed SOC 2 as a conceptual framework that requires you to determine system objectives, identify risks to meeting those objectives and implement controls designed to mitigate those risks.
For a first-time SOC 2, what we look to focus on are the controls that will meet the expectations of your customers and business partners. All of the clients we work with are trying to do the right things, but need some help enhancing their documentation and processes or identifying the most effective methods of achieving those expectations. You are about to provide these individuals a new level of transparency about your organization and we want to help you provide an accurate, high quality report that you submit with pride.
Can you do a 3 month type 2 scope period?
There isn’t a specific minimum period that is prescribed by the AICPA. The minimum length of the scope period is a business decision and should be of a length of time that demonstrates the controls operated effectively and will be of value to the users of the report.
Generally, as the focus of SOC 2 is on customers, we encourage clients to have some dialogue with a critical customer or prospect that is requesting the SOC 2. Ask them the question - we are considering a 3 month type 2 scope period - will this meet your needs or do you have other expectations? They may ask you “what is a scope period” or they may tell you they would like to see 6 months. Ultimately, we believe it’s important to be transparent during planning so you have confidence a report that will provide you with value will be produced.
Does SOC 2 require me to complete a penetration test?
Potentially. Penetration testing can be a valuable control, but the requirement is driven by the expectations of customers and business partners.
There are also many options in the market that present themselves as penetration tests and tools that can be used to conduct the exercise internally - which all produce a range in cost and value. Our focus is helping you understand these options and making the right selection for what you need.
Do I need to complete my penetration test (or other controls) in the type 2 testing window?
Not necessarily. We believe the risk and business needs should drive these decisions (not the compliance examination).
Of course, if you have committed to an annual penetration test and it has been 14 months since one was completed - that’s likely something that should be a priority. Otherwise we will work with you on the best report presentation option if this isn’t a control we are able to test during the type 2 scope period.
Why does a CPA need to be involved in an IT security report?
The service was created by CPA’s… or more specifically the American Institute of Certified Public Accountants (AICPA) so they get to set the rules.
But keep in mind, the CPA profession is viewed as one of the most trustworthy in the world and has the infrastructure in place for auditing, reporting and oversight. Like every occupation, CPA’s are being forced to evolve and SOC 2 created an incredible opportunity for people like us to work closer with the IT community. However, the need for a CPA is limited to the individual that signs the report and we happen to have one of those. Also, while we respect the CPA profession a great deal - we don’t believe you need to be a CPA to understand SOC or provide education on cybersecurity.
How do you avoid surprises during the exam? Are there circumstances where my fixed fee quote will increase?
We believe the most critical time during a project is the planning phase. We like to get aligned with our client before a scope period begins on the key controls and evidence that will be tracked to document control operation. We also set very clear expectations for what will be expected from the clients staff (and from our team) during the project so that everyone is held accountable.
We’re fortunate at MJD, because a focus on planning and expectations allows us to avoid the surprise “extra bill”. Generally, the only time additional costs are necessary is when a client does not invest in the process or respect the time of our team. Incomplete responses, exceptions and findings or a lack of transparency are the areas that most commonly result in additional services. These projects are always uncomfortable and keep us from being our best (for you and our other clients) which is why we would prefer to exit the relationship at the appropriate time, instead of making “extra bills” a normal occurrence.