SOC 2 + HITRUST vs. HITRUST Certified CSF reports - the Fundamentals

The System and Organization Control (SOC) 2 Type II report is performed for service companies by CPA firms to attest to the design and operating effectiveness of the service company’s IT internal controls through AICPA Trust Services Categories. For those in the accounting and IT control world, it is probably the first report that comes to mind when considering reporting on third-party IT controls. However, also emerging in the industry for IT control reporting is the HITRUST Common Security Framework (CSF).  The HITRUST CSF is a certifiable security framework that was originally designed for companies to demonstrate protection of electronic Protected Health Information (ePHI), and will evolve with the release of the CSF version 10 to be applicable to all industries.  It is possible to combine both criteria in a “SOC 2 + HITRUST” report. This article aims to outline the differences in report opportunities with SOC 2 and HITRUST CSF, the possibility of combining both criteria into one report, and how to decide which report is right for your business.

What are the major differences between the SOC 2 report and the HITRUST CSF certification?

At a high level, SOC 2 Type II reports are performed by CPA firms to opine on the suitability of design and operating effectiveness of a company’s controls, and typically cover a period of one year. The AICPA is the governing body of the report and controls are based on one or more of the AICPA’s Trust Services Categories (Security, Availability, Confidentiality, Privacy, and Processing Integrity). The SOC 2 is a reporting framework in which management identifies their controls in place within a system description, and the audit firm tests and reports on them. The final report will include the independent service auditor’s report, a signed management assertion, the description of the system written by management, and a description of controls tested and their results. Exceptions noted can be addressed by management in a “management response.” However, the auditor does not opine on these responses.

HITRUST Certified CSF (validated) reports require a bit more explanation.  A major difference to keep in mind is that the examiner must be a HITRUST CSF Assessor. HITRUST offers training courses for individuals to certify their knowledge, enabling their firm to perform assessments. HITRUST, a private company, owns the certification process and ultimately prepares the final report. The standards tested are leveraged from already existing regulations and standards including HIPAA, NIST 800-53, COBIT, PCI, and ISO 27001. Overall, they cover 14 security and privacy control categories which include: Access Control, Risk Management, and Physical and Environmental Security, among others. Unlike the SOC report, in which a company’s management identifies their own controls, the HITRUST CSF is a control framework that outlines the controls that are required to be implemented by organizations seeking certification. 

The HITRUST report contains a management representation letter, detail on the scope of systems assessed, detail on each control area, and a testing summary. If any requirements score below a certain threshold, the company’s management is required to submit a Corrective Action Plan (CAP). CAPs are required for certification and reviewed by HITRUST prior to their addition to the report. This certification, once obtained, has a life of two years. Within the second year, there is an interim assessment that consists of testing minimum samples for each domain.

What does a combined SOC 2 + HITRUST report entail?

The two reports described above are quite extensive and differ in a variety of ways. In acknowledgement of this, the AICPA and HITRUST have collaborated to provide guidance on mapping the HITRUST CSF to Trust Services Criteria (specifically to Security, Availability, Privacy, and Confidentiality), enabling firms to issue a single SOC 2 + HITRUST report. It’s important to note that while both frameworks are used in tandem, the AICPA is the governing body over the combined criteria.  A CPA firm can issue this report, as long as they have a valid license to utilize the HITRUST CSF.

The final report is much more similar in nature to the SOC 2 than to the HITRUST report. There is a signed assertion by the company’s management, the independent auditor’s report, and a written description of the system provided by company management. The final section is the major difference, since it contains the results of tests of controls of both the Trust Services criteria and the HITRUST controls tested. This section will depict how the HITRUST controls were mapped into the Trust Services Criteria. The independent auditor’s report contains the auditor’s opinion on both AICPA and HITRUST controls.

There is another combined report option which allows an organization to obtain an opinion on SOC 2 + HITRUST and obtain a HITRUST CSF Certification. This is very similar to the combined report described above; however, it also includes a separate HITRUST CSF certification report. 

What kind of report should my company issue?

This question as not as difficult to answer as it seems, even though there are varied options available. First and foremost, understand what kind of report would best serve your clients, or be aware of what your client is already looking for from you. Continue by forming an understanding of what the scope of the report should include. Be sure to consider that if the Processing Integrity category is in scope, there is not a mapping of that category to HITRUST, and therefore the HITRUST CSF cannot report on controls in place for that category.  If your organization accesses, stores, or in any way handles ePHI (or any information of a sensitive nature), consider the combined report to leverage HITRUST’s robust controls and AICPA Security requirements to demonstrate your ability to protect data.

If a joint report seems to be the most appropriate route, remember that there are two options. The SOC 2 + HITRUST report will be easier to obtain, granted you ensure that the CPA firm you utilize is licensed to perform this assessment. When SOC 2 and HITRUST criteria are combined, failure in a HITRUST control could also mean a qualified opinion in the SOC report: a double whammy. However, if your organization is able to accept that risk, this report creates significant time and cost efficiencies.  If meeting both criteria and being HITRUST CSF certified is your priority, the best option will be the SOC 2 + HITRUST CSF+ CSF Certification. This is more difficult to obtain and must be performed by an approved CSF assessor. Ultimately though, it will provide the most comprehensive report and the certification.

If you would like additional information on the different reports, advice on how to decide which is right for your organization, or to contact us for further information, please visit the following website: https://schneiderdowns.com/cybersecurity/hitrust-csf-reporting