Thank you for considering MJD Advisors

MJD Advisors is a boutique CPA firm with a niche focus on providing SOC 2 reports and related services to innovative technology companies worldwide.

Number of completed SOC reports
550+
Percentage of SaaS clients
93%
Number of countries we work in
17+
Average years of experience for project leads
10 years
Longest meeting you will attend
1 hour

We started MJD Advisors in 2021 because compliance is too complicated, so we created an approach that leverages technology and common sense to deliver a valuable service based on your needs. You should expect collaboration, clear guidance and communication, transparency, and continuous improvement when you work with us. We’re excited about the chance to work with you and look forward to meeting you.

Now, let’s walk through our process!

Introductory Call

Who is MJD Advisors, and who are you? We’ll listen as you share your company's story, and we’ll share ours, too. We want to ensure we understand your needs and pain points so we can design a project customized to you. There will be lots of time for questions and conversation as we get to know each other, and we want you to come away excited to work with us.

Proposal and Engagement Letter

After our introductory call, we will follow up with a proposal outlining our services, process, and pricing for you to review. If you believe this is the right fit, we just need to collect some contact and legal information for an engagement letter. Our systems are built to be light and agile, so we can get started tomorrow, next month, or next year (or whenever you are ready). This is exciting!

Kickoff and Walkthrough Sessions

The next step in our process is a series of interactive sessions (30-60 minutes) that provide a deep dive into your infrastructure, application development, and operations. We provide you with a detailed agenda and expectations up front and look to create a forum where we can understand the nuance of your product, answer your questions, and resolve any anxieties about the process, and collect evidence.

The meeting format is designed to touch on potential operational improvements and areas of friction we have experienced on previous projects, and addressing concerns in real time eliminates much of the back and forth that has historically plagued this service.

Here’s a breakdown of each session and what you can expect to cover:

Kickoff Session

We want to see your product in action! We’ll ask you to share your screen and show us what you’ve built. Then, we’ll decide on a timeline for subsequent meetings and answer any questions.

Infrastructure session

During this session, we’ll ask you to walk us through your network diagram and tour us through the cloud to help us understand the managed services you are leveraging, the types of data you interact with, and the tools in place for monitoring and alerting.

Application Development Session

In the application development session, we’ll request a demonstration of your software development process to understand how you ship new features and maintain the code.

Operations Session

In the operations session, we’ll review some of the engagement's softer and more procedural areas, governance, risk management, and HR, and provide pragmatic suggestions on how to document these controls without unnecessary bureaucracy.

After the final walkthrough session, all subsequent work is completed asynchronously unless additional needs or questions require a conversation. Please ask questions and share concerns.

Client Review and Report Collaboration

Following the walkthrough sessions, we take what we have learned and prepare a draft of your report. We write many SOC 2 reports and carry the heavy lifting on preparation so you can focus on reviewing the finer points. The draft tells the story of how you care for customer information, and our goal is to provide a beautiful product that helps others understand the work you have done.

We share the draft in a Google Doc, which we also use to cover any last questions or outstanding issues, leaving you with a full picture of the final steps on a single pane of glass.

Final Report Issued

Once we’ve agreed on the final report, our team will conduct a final review and prepare to issue the report, which will take no more than a few days. Time to celebrate!

Frequently Asked Questions

What is your experience with SOC 2 reports, and how many have you completed?

We issued our first report in 2021 and have issued over 300 since. SOC 2 accounts for over 90% of our work, and everyone on the team has significant experience with prior firms.

What is your approach to working with clients going through a SOC 2 audit for the first time?

Proper preparation sets the foundation for a successful engagement. If you are still working on policies and setting up the program - it can be really helpful to use us as a sounding board instead of trying to guess what an auditor will think, which is a value we bring to clients on an ongoing basis. It’s also beneficial to us to get those questions in advance as the complicated and unique aspects of your system are what we’ll want to understand for the exam.

Initial engagements generally undergo a readiness stage that many firms separate from the examination. We find these processes overlap and complete them in tandem so we can continue moving forward. We also use this time to guide and advise on control implementation.

Regardless of your program's maturity, everything we do starts with solid planning. We will begin by fully reviewing your policies and evidence and forming the blueprints for our project plan to guide the examination.

What is your process like? How long does it take?

Agile and iterative are words we use a lot. We spread out the project, let you drive the timeline, and do our work in bursts to collaborate. Timing typically depends on the state of your program and where you are with policies, as we have some methods for helping there. If you come to us as "ready," - our standard Type 1 process is usually around six weeks and begins with an introductory call followed by:

Week 1 - Demo/kickoff meeting (30-60 minutes)

Week 2 - Infrastructure meeting (60 minutes)

Week 3 - Application development meeting (60 minutes)

Week 4 - Operations (45-60 minutes)

Week 5 - Wrap up and report prep (async)

Week 6 - Report review, collaboration, and report issuance (async)

In the meetings outlined above, we will ask you to share your screen and walk us through different parts of your system. These interactive sessions allow us to gather evidence, do some testing, and answer any questions to avoid a lot of back-and-forth.

One of the signature aspects of working with MJD is the support we provide during reporting. You are provided a highly customized initial draft and collaborate with our team to move together through the reporting stage. We also use this document to capture any remaining requests and questions so the final path to report issuance is centralized and you know exactly what’s left.

How do you base your pricing?

We believe in a fixed-fee pricing model to provide a predictable project cost. This helps avoid the “meter running” feeling you get when you work with a consultant at an hourly rate, and we want you to ask questions.

We consider several things when we put a proposal together for you; here are a few:

  • The type of examination
  • Number of employees
  • Number of applications to cover
  • The trust services criteria (TSCs) you want to cover
  • Whether or not it is a first-time exam
  • Whether or not you use a compliance management platform

How do you stay independent?

Independence is a professional requirement for CPAs and is something we place a lot of emphasis on at MJD Advisors. These rules allow us to be very consultive as long as you take responsibility for the decision making which is something we truly embrace. We will always provide guidance and advice but won’t “require” you to do anything that wouldn’t be asked of your customer. Our best projects are with clients that take ownership of the security program so we can recommend best practices, perform efficient procedures, and do our best to stay out of the way.

Is there a requirement to be on-site, or can the process be completed remotely?

No, we do all of our work virtually.

What is your approach to handling sensitive data and ensuring the confidentiality of our information?

The primary method for safekeeping your data is to prevent it from ever touching our systems. We write our requests to limit confusion and leverage systems you control where possible to minimize what needs to be protected.

The audit-related information that is retained in our systems is isolated and stored in client specific sections of Notion, Google Drive, and Google Cloud Platform.

What happens after I complete my first SOC 2 report?

SOC 2 provides unlimited options for your ongoing compliance and we are here to guide you on that journey. The best practice is to complete an annual examination that covers the previous 12-months and our intent is to win your trust so you are excited to kickoff that next project once the first report is issued. That provides us an opportunity to help you build out your compliance roadmap and support you throughout the year as questions arise and you onboard new technology and employees.

Nobody wants a "continuous audit." Our goal is to support your continuous compliance by having resources available to you on an ongoing basis.

We truly love feedback, so ask us questions, provide suggestions, and let us know how we did because that is how we continue to improve. Thank you for considering MJD Advisors!