Written by: Alexander T. Hintlian, CISA, CCSFP
If your customers are asking you for both a System and Organization Controls (SOC) 2 Report and a HITRUST Certification Report, you are aware of the extensive controls and documentation expected to satisfy both of these reporting requirements. Performing these reports as two separate audits takes a significant time commitment on your potentially resource-stretched organization. In an effort to create a more efficient reporting structure, the American Institute of CPAs (AICPA) collaborated with the Health Information Trust (HITRUST) Alliance to align their reporting frameworks and develop a combined assurance program known as the SOC 2 + HITRUST.
The SOC 2 + HITRUST program maps between the HITRUST Common Security Framework (CSF) requirements and the AICPA’s Trust Services Criteria. This allows you and other service organizations to report on controls to meet both requirements in a single report. In this article, we will discuss the various combined reporting options for service organizations, and the benefits and downsides to this program.
Which Should You Choose?
The SOC 2 + HITRUST reports are designed to help service organizations that create, access, store or exchange protected health information (PHI) meet their dual reporting requirements. The primary benefit of the combined report is that it leverages the overlap between the two frameworks in order to audit controls once and streamline report deliverables to customers.
There are currently two options for combined reporting:
- SOC 2 + HITRUST CSF
- SOC 2 + HITRUST CSF + CSF Certification
The SOC 2 + HITRUST CSF requires an independent CPA firm offer an opinion on whether a service organization’s controls are suitably designed and operating effectively to meet the applicable trust services criteria as well as the HITRUST CSF requirements. This type of report can be issued by any CPA firm, and does not leave your organization HITRUST certified. Of the two reports, this will be easier to obtain.
The other option is the SOC 2 + HITRUST CSF + CSF Certification, which offers the same opinion but also includes a copy of the CSF certification report issued by the HITRUST Alliance. A CPA firm that is also an approved CSF Assessor, and registered with the HITRUST Alliance must issue this type of report. This second type of report is more difficult to obtain because it also requires undergoing the HITRUST certification process. That said, it will be a more comprehensive report, and will provide your organization a HITRUST certification as well.
What To Keep In Mind
Reducing inefficiencies by combining two audits into one can be very effective. However, there are potential downsides to consider. For instance, SOC 2 + HITRUST reports require service organizations adopt the security, availability, and confidentiality criteria. For organizations that have only completed a SOC 2 report on the security criterion, this will mean an additional level of effort to incorporate the other required criteria in order to successfully complete their report.
Lastly, by combining both the SOC 2 and HITRUST reports, any issues identified in one area could have an adverse effect on the entire report. If an organization has all the controls necessary to meet the SOC 2 criteria but fail any of the 75 required HITRUST controls, this could result in an unqualified opinion in the SOC 2 + HITRUST report. The integration between these two reports would mean the effectiveness of one set of controls would now have an impact on the other.
The current SOC 2 + HITRUST combined reporting is an extensive process, however, there is substantial value in utilizing the control mapping to align overlapping controls across the HITRUST CSF and Trust Services Principles. Organizations with dual reporting requirements should schedule their SOC 2 and HITRUST audits in tandem, regardless of whether one of the combined reports are used. This approach allows your CPA firm to create efficiencies by testing any overlapping controls once, even if you continue to request separate reports.