Over the past few years, it seems like there is a new compliance framework that companies are required to follow every year. And many companies are trying to understand which one applies, how many they are required to obtain, and how much it is going to cost. This blog will discuss two frameworks: SOC 2 and HITRUST CSF. We will discuss what they are, whether they can be mapped, and if they can be used interchangeably or combined together.
What is a SOC 2 Engagement?
According to the AICPA, a SOC 2 engagement is “an examination engagement to report on whether (a) the description of the service organization’s system is in accordance with the description criteria, (b) the controls were suitably designed to provide reasonable assurance that there service organization’s service commitments and system requirements were achieved based on applicable trust service criteria, and (c) in a type 2 report, the controls operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.”
Simply put, SOC 2 engagements assert on whether the controls were designed properly and operated effectively in accordance with the requirements imposed by the applicable trust services criteria. The SOC 2 includes 5 trust services criteria (TSCs) in which a report can attest on, including:
- Security (always included)
- Availability
- Processing Integrity
- Confidentiality
- Privacy
The last four mentioned are optional, but can be added depending on the service provided. SOC 2 reports are meant to satisfy the needs of all industries and their users’ that require assurance that information being housed or processed is secure and will not affect the security, availability, processing integrity, confidentiality, or privacy of their system, as applicable.
What is a HITRUST[1] Engagement?
Health Information Trust Alliance (HITRUST) was founded in 2007 and is a “not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.”
Although the HITRUST Common Security Framework (CSF) is meant to be a framework for organizations across all industries, it was created after identifying a number of healthcare challenges such as the varying application of healthcare-specific controls (such as HIPAA), ineffective controls due to inconsistent understanding of the control objectives, an increased focus on these issues from regulatory bodies, auditors, and customers, and finally the increase in data breaches and other system vulnerabilities being exploited. Generally speaking, the HITRUST framework is used by companies who in some capacity deal with electronic protected health information (ePHI).
As a way to provide more consistency to the industry, HITRUST created HITRUST CSF, which is a certification based on a regulatory compliance and risk management framework that includes a variety of standards. A few include HIPAA, COBIT, NIST, PCI, ISO, etc. Different requirements from these standards have been layered together to form a five-part control for each requirement which includes the existence of policies and procedures, the ability to prove its implementation, and finally the company’s ability to prove that each control is measured and managed. For more detailed information, check out our blog on the HITRUST certification process.
What is the Difference Between HITRUST & SOC 2?
One of the main differences between a SOC 2 and HITRUST CSF is that a SOC 2 is an attestation report, while a HITRUST review is accompanied by a certification. In an attestation report, management attests to the information presented to the users within the report and the independent party (the auditors) confirms these attestations through an opinion.
Opinions can be unqualified or clean, qualified, or adverse. Qualified opinions indicate that testing could not confirm at least one objective identified by management and adverse means that testing could not confirm the majority of objectives identified by management. A qualified report can still be relied upon, but should be followed up on with the company to determine whether proper remediation steps have been taken to address issues going forward.
How Long is a SOC 2 Certification Good For?
SOC 2 reports are completed on an annual basis and for Linford & Co, it generally takes anywhere from one to three months to complete and deliver the report, depending on how quickly the SOC client can provide the evidence needed to complete testing. Testing generally takes one to two weeks.
Unlike a SOC report, a HITRUST report comes with a certification. HITRUST is a much more detailed report with about five times the number of controls, incorporating requirements from the variety of standards (mentioned above) included within the HITRUST CSF framework. In a HITRUST report, management is required to submit a Letter of Representation from management which is used in lieu of the management assertion within the SOC report. A Letter of Representation is still gathered during a SOC report but is not presented within the final report.
How Long is a Hitrust Certification Good For?
Finally, the opinion is presented in the HITRUST report as a Letter of Certification or Letter of Validation depending on the final score of the assessment. See more information about the HITRUST specifics at HITRUST’s FAQ page. The HITRUST certification lasts two years with interim testing completed at the year mark. This testing is dramatically modified compared to testing completed in year one. In general, HITRUST testing takes longer to complete due to the increased number of controls, and costs about twice as much. This is all dependent upon the number of systems and size of the organization.
What is a SOC 2+HITRUST Report?
When determining which report your company needs, the first consideration should always be the requirements being identified by clients, stakeholders, or service level agreements. As of today, HITRUST reports are mainly being adopted by data centers, applications, and platforms that house ePHI. With that being said, HITRUST is available to any industry that would like to incorporate the framework into their compliance program.
How Much is SOC 2 Mapped to HITRUST?
If having both reports is something your company is interested in, the HITRUST report does map to the controls needed to provide a SOC 2 opinion for the following trust service principles: security, confidentiality, and availability. Complete testing to maintain the SOC 2 opinion will still need to be completed annually, unlike the HITRUST certification. Another option is called the SOC 2 + HITRUST CSF. In this scenario, the CPA firm can perform procedures to test the design and operation of the controls as they relate to both SOC 2 and HITRUST CSF. This report, however, will not include a Letter of Certification, unless the CPA firm is also a HITRUST CSF assessor and the report has been certified by HITRUST.
How Much is a SOC 2+HITRUST Report?
While the price of these reports varies depending on the system or services in scope, in general, the cost of a SOC 2+HITRUST is less expensive than a certified HITRUST assessment. For the most part, this is because the extent of testing is less extensive for SOC 2 in comparison to a HITRUST assessment. It’s also important to point out that contractual obligations should be reviewed when determining if a company can move forward with a SOC 2 + HITRUST. If a contract requires a certified HITRUST assessment, the SOC 2 + HITRUST report would not suffice.
SOC 2 vs. HITRUST Summary
Determining which report your company requires generally depends on a number of different variables such as time, budget, and need.
As mentioned above, the best first step is to understand the needs of your current or prospective clients, stakeholders, and reference the requirements outlined within any business agreements.
The next variable to consider is the type of industry your company falls into. If your company happens to store or process ePHI, considering HITRUST may make sense. Otherwise, it may make sense to start with a SOC 2 and transition as it makes more sense for your company.
Understanding the different reports can help you come to a conclusion about which report makes the most sense today and how to move forward in the future.
Check out the Linford & Company services page for a complete listing of services we provide and how to contact us with any questions your company has regarding SOC 2 Audits, HITRUST Certifications, or any of our other services.
[1] HITRUST CSF reports in this blog are assumed to be validated assessments completed by a HITRUST assessor.
This article was originally published on 4/11/2018 and was updated on 7/7/2021.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.