SOC 2 + HITRUST vs. HITRUST Certified CSF reports - the Fundamentals

The System and Organization Control (SOC) 2 Type II report is performed for service companies by CPA firms to attest to the design and operating effectiveness of the service company’s IT internal controls through AICPA Trust Services Categories. For those in the accounting and IT control world, it is probably the first report that comes to mind when considering reporting on third-party IT controls. However, also emerging in the industry for IT control reporting is the HITRUST Common Security Framework (CSF).  The HITRUST CSF is a certifiable security framework that was originally designed for companies to demonstrate protection of electronic Protected Health Information (ePHI), and will evolve with the release of the CSF version 10 to be applicable to all industries.  It is possible to combine both criteria in a “SOC 2 + HITRUST” report. This article aims to outline the differences in report opportunities with SOC 2 and HITRUST CSF, the possibility of combining both criteria into one report, and how to decide which report is right for your business.

What are the major differences between the SOC 2 report and the HITRUST CSF certification?

At a high level, SOC 2 Type II reports are performed by CPA firms to opine on the suitability of design and operating effectiveness of a company’s controls, and typically cover a period of one year. The AICPA is the governing body of the report and controls are based on one or more of the AICPA’s Trust Services Categories (Security, Availability, Confidentiality, Privacy, and Processing Integrity). The SOC 2 is a reporting framework in which management identifies their controls in place within a system description, and the audit firm tests and reports on them. The final report will include the independent service auditor’s report, a signed management assertion, the description of the system written by management, and a description of controls tested and their results. Exceptions noted can be addressed by management in a “management response.” However, the auditor does not opine on these responses.

HITRUST Certified CSF (validated) reports require a bit more explanation.  A major difference to keep in mind is that the examiner must be a HITRUST CSF Assessor. HITRUST offers training courses for individuals to certify their knowledge, enabling their firm to perform assessments. HITRUST, a private company, owns the certification process and ultimately prepares the final report. The standards tested are leveraged from already existing regulations and standards including HIPAA, NIST 800-53, COBIT, PCI, and ISO 27001. Overall, they cover 14 security and privacy control categories which include: Access Control, Risk Management, and Physical and Environmental Security, among others. Unlike the SOC report, in which a company’s management identifies their own controls, the HITRUST CSF is a control framework that outlines the controls that are required to be implemented by organizations seeking certification. 

The HITRUST report contains a management representation letter, detail on the scope of systems assessed, detail on each control area, and a testing summary. If any requirements score below a certain threshold, the company’s management is required to submit a Corrective Action Plan (CAP). CAPs are required for certification and reviewed by HITRUST prior to their addition to the report. This certification, once obtained, has a life of two years. Within the second year, there is an interim assessment that consists of testing minimum samples for each domain.

What does a combined SOC 2 + HITRUST report entail?

The two reports described above are quite extensive and differ in a variety of ways. In acknowledgement of this, the AICPA and HITRUST have collaborated to provide guidance on mapping the HITRUST CSF to Trust Services Criteria (specifically to Security, Availability, Privacy, and Confidentiality), enabling firms to issue a single SOC 2 + HITRUST report. It’s important to note that while both frameworks are used in tandem, the AICPA is the governing body over the combined criteria.  A CPA firm can issue this report, as long as they have a valid license to utilize the HITRUST CSF.

The final report is much more similar in nature to the SOC 2 than to the HITRUST report. There is a signed assertion by the company’s management, the independent auditor’s report, and a written description of the system provided by company management. The final section is the major difference, since it contains the results of tests of controls of both the Trust Services criteria and the HITRUST controls tested. This section will depict how the HITRUST controls were mapped into the Trust Services Criteria. The independent auditor’s report contains the auditor’s opinion on both AICPA and HITRUST controls.

There is another combined report option which allows an organization to obtain an opinion on SOC 2 + HITRUST and obtain a HITRUST CSF Certification. This is very similar to the combined report described above; however, it also includes a separate HITRUST CSF certification report. 

What kind of report should my company issue?

This question as not as difficult to answer as it seems, even though there are varied options available. First and foremost, understand what kind of report would best serve your clients, or be aware of what your client is already looking for from you. Continue by forming an understanding of what the scope of the report should include. Be sure to consider that if the Processing Integrity category is in scope, there is not a mapping of that category to HITRUST, and therefore the HITRUST CSF cannot report on controls in place for that category.  If your organization accesses, stores, or in any way handles ePHI (or any information of a sensitive nature), consider the combined report to leverage HITRUST’s robust controls and AICPA Security requirements to demonstrate your ability to protect data.

If a joint report seems to be the most appropriate route, remember that there are two options. The SOC 2 + HITRUST report will be easier to obtain, granted you ensure that the CPA firm you utilize is licensed to perform this assessment. When SOC 2 and HITRUST criteria are combined, failure in a HITRUST control could also mean a qualified opinion in the SOC report: a double whammy. However, if your organization is able to accept that risk, this report creates significant time and cost efficiencies.  If meeting both criteria and being HITRUST CSF certified is your priority, the best option will be the SOC 2 + HITRUST CSF+ CSF Certification. This is more difficult to obtain and must be performed by an approved CSF assessor. Ultimately though, it will provide the most comprehensive report and the certification.

If you would like additional information on the different reports, advice on how to decide which is right for your organization, or to contact us for further information, please visit the following website: https://schneiderdowns.com/cybersecurity/hitrust-csf-reporting

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

OMB Issues Final 2020 Compliance Supplement
Ransomware Postpones First Day of School for Hartford Students
FASB Proposes Changes to the Definitions of Financial Statement Elements
Schneider Downs’ Construction Practice Ranked Once Again
Is Your Chip Card Implementation Secure?
New FISAP Instructions Under the CARES Act

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102