Impacted Policy/Program Name
CSF Assurance Program
July 31, 2017
This advisory is being issued to address situations where a service organization has decided to pursue a SOC report and a HITRUST CSF Validated assessment report, and engages separate organizations to perform the work supporting the two reports. When this occurs and the HITRUST Authorized External assessor organization intends to rely on a SOC report that was performed as part of an AICPA SOC engagement, there are certain considerations which should be addressed during engagement planning.
First, determine if you are entitled to use the SOC Report:
Since SOC reports are limited distribution reports, the service organization (unless it is a user of its own service) and its HITRUST Authorized External Assessor organization are typically not intended users (user organizations) of a SOC report issued by the service organization that contains an independent opinion provided by the service auditor. For any organization to be an intended user of a SOC report, they have to be users of the service that is covered within the service organization’s SOC report. If the user organization and its HITRUST Authorized External Assessor are not intended users of the report, they cannot directly place reliance on the SOC report for purposes of testing to support a HITRUST CSF Validated assessment.
Next, determine if you can place reliance on report if an intended user:
If, however, the user organization, and by extension its HITRUST Authorized External Assessor organization, are intended users of the SOC report, they may be able to place reliance on the SOC report. This reliance is subject to the understanding/expectation that in a HITRUST CSF assessment the control requirements are very prescriptive. So, for the assessor to rely on the SOC report, it would need evidence of that granular level of detail, both in the section that describes the controls as well as in the auditor’s section where the controls were tested and the results of those tests were disclosed. For example, simply having in the description that the service organization has password management policies and procedures and the service auditor simply stating it tested the password management system would not suffice. The report would have to contain more detail and the assessor organization would need to obtain a copy of the associated testing workpapers to support the operating effectiveness of the control for inclusion in its workpapers, which is not a probable scenario in the market place. If work papers are successfully obtained, the assessor organization must follow the professional standards that are in place when reperforming the work of others, which include but are not limited to assessing the competency, objectivity and independence of the firm performing the SOC report work. The assessor organization would also have to draw their own conclusions on the evidence obtained through the execution of their own independent procedures.
Also, during the HITRUST QA process, HITRUST will ask for testing evidence in support of the certification. Responding to this request along the lines of “relied on the SOC 2 testing” would not be sufficient. HITRUST would need evidence that the SOC 2 testing included the level of detail and rigor discussed in the previous paragraph. Besides the testing workpapers, this may require the assessor organization to perform a walk through to verify its understanding, along with a reference to the specific description/tests performed by the service auditor. It is important to understand if its client is an intended user of any SOC report to support a validated assessment engagement, a level of due diligence and independent verification in line with the published assessor guidance must be performed by the assessor organization. This would include determining if the testing that was done for the SOC reports was adequate and appropriate given the scope of the assessment report to address the HITRUST CSF requirement(s). It is also important for assessors to understand that even if they are an intended user of a SOC report as an extension of management, the intended use of that report must be appropriately understood in order for an assessor organization to rely on the report, which can be accomplished through a discussion with the service organization. Failure to abide by these rules may result in HITRUST not issuing a validated/certified report and could lead to sanctions being imposed on an assessor organization.
As a final consideration and given the sensitivity of workpapers, the CPA organization will likely be reluctant to provide access/copies of their workpapers to the HITRUST Authorized External Assessor organization. So where two different organizations are involved in producing a SOC report and a HITRUST CSF Validated assessment report, there will need to be discussions with service organization management and whether the sharing of testing procedures is an option.
Timetable for Implementation
Immediate: This bulletin is a clarification to the existing process and will impact all assessments submitted to HITRUST as of the date of issuance of this advisory.