Assessors and auditors generally determine control effectiveness regardless of what controls are specified, albeit there is usually a negotiation between the auditor/assessor and the organization before the final report is issued.
However, assessors actually have more leeway in assessing the effectiveness of an organization’s controls—and actually determining what those controls should be—when a framework like the HITRUST CSF is not used. Before an assessor can become a HITRUST-approved External Assessor organization, it undergoes a vetting process for their assessment methods and the experience and qualifications of its staff. They are also required to adhere to HITRUST guidelines for CSF assessments, and each validated or certified assessment undergoes a quality review by HITRUST to ensure consistency and repeatability regardless of the External Assessor doing the work.
For more information, refer to the External Assessor Datasheet.