Loading...

Subscribe to newsletters
About Us
Industries
Careers
Events
Locations
Services
Professionals
Client Portals
Insights
Contact Us
Legal & Privacy
Pay Invoice

Baker Tilly US, LLP and Baker Tilly Advisory Group, LP and its subsidiary entities provide professional services through an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly US, LLP is a licensed independent CPA firm that provides attest services to clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and business advisory services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities are not licensed CPA firms. © 2025 Baker Tilly Advisory Group, LP

Baker Tilly Advisory Group, LP and Baker Tilly US, LLP are independent members of Baker Tilly International. Baker Tilly International Limited is an English company. Baker Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity and each describes itself as such. Baker Tilly Advisory Group, LP and Baker Tilly US, LLP are not Baker Tilly International’s agent and do not have the authority to bind Baker Tilly International or act on Baker Tilly International’s behalf. None of Baker Tilly International, Baker Tilly Advisory Group, LP, Baker Tilly US, LLP, nor any of the other member firms of Baker Tilly International has any liability for each other’s acts or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited.

hitrust inheritance model efficiency

International payment solutions provider gains efficiencies to multiple HITRUST assessments by leveraging inheritance model 

Client background

The client is a large public company and an international provider of physical, digital and virtual corporate payment solutions. Baker Tilly engages with the client on a variety of projects, including but not limited to System and Organization Controls (SOC) 1® and SOC 2® reports, as well as National Institute of Standards and Technology (NIST) and HITRUST assessments.

The business challenge

Due to the organization’s size and their variety of product offerings, the client chose to split their 450+ control requirement HITRUST Validated Assessment into two separate scoping objects. As a result of the large control sets and regulatory factors required for each HITRUST assessment, in conjunction with other ongoing annual projects and initiatives, client stakeholders historically experienced audit fatigue and were required to provide a cumbersome volume of documentation to meet various regulatory deadlines. Management reached out to Baker Tilly to inquire whether the firm could assist in reducing the stakeholder workload required to facilitate the multiple HITRUST assessments. 

Strategy and solution

Baker Tilly chose to leverage HITRUST’s internal inheritance model, which allows for reliance on the testing of previously completed assessments over like systems or processes within the organization, to eliminate redundant requests and create efficiencies in evidence collection. This approach created the following benefits for the organization: 

  • Provided complete or partial fulfillment for 63% of HITRUST assessment requests leveraging the HITRUST inheritance model. 
  • Reduced evidence collection for HITRUST assessments from two collection cycles to one. 
  • Recouping assessment fees to the client that were initially thought to be required to execute the assessment. 
  • Increased stakeholder buy-in and improved project morale for the entirety of the HITRUST audit year across engagements. 

Baker Tilly and the client are looking to build upon the internal inheritance model to continue creating value and minimizing stakeholder impact in subsequent assessment years. 

Connect with us to learn more

Related sections

  • Risk Advisory
  • Cybersecurity
  • HITRUST CSF Assessment Services
  • System & Organization Controls (SOC) Reporting

Article Tags

CybersecurityHITRUSTRisk AdvisoryNISTSystem & Organization Controls (SOC) Reporting